Hi Tim, Yes, I think. At least that's how I've interepreted them. Also, I think these article refer to scenarios that are a bit different than what we're thinking of, and apply to large orgs that use the ISA firewall as Proxy 4.0, instead of ISA 2004, and not in a back to back firewall configuration. In that case, the name resolution issues are quite a bit different than those we're working with in your back to back ISA firewall scenario. Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Sunday, December 04, 2005 3:34 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: To Chain, or Not To Chain? > > http://www.ISAserver.org > > Yes, I agree about the terminology... So, just to be sure, > both of these > articles regard the "downstream" ISA box. That would be the "edge," > "external," "front-end" ISA box that is Internet facing, right?? > > [Internal Net] -> [Back-End ISA] -> [DMZ] -> [Front-End ISA] > -> [Internet] > > These articles are for what is listed as [Front-End ISA] > above, correct? > > Which means, if I chain the [Back-End ISA] to the [Front-End > ISA], and then > use the script to disable name resolution as described in the > 2nd link you > provided, the hotfix referenced in the first link is not > necessary, right??? > > t > > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Sunday, December 04, 2005 12:17 PM > Subject: [isalist] RE: To Chain, or Not To Chain? > > > http://www.ISAserver.org > > You use a local account on the front-end ISA firewall, and have the > back-end ISA firewall use the local account to authenticate. > > So, no Active Directory access is required. > > Actually, if your DNS is well-designed (i.e., your internal DNS server > can resolve Internet host names) you can allow the back-end to resolve > names) you won't have problems. Check out > http://support.microsoft.com/default.aspx?scid=kb;en-us;292018 > for more > info. > > I don't see any reason to have the front-end perform name resolution, > since the access controls are being done on the back-end. Check out > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/dis > ablenamere > solution.mspx > > The problem I have is with the terminology. Downstream and > upstream are > good when talking about rivers and streams, where the "flow" is > unidirectional. But is a bit confusing with network connections, where > are bidirectional :) > > > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > Sent: Sunday, December 04, 2005 1:47 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: To Chain, or Not To Chain? > > > > http://www.ISAserver.org > > > > OK- I'm a bit confused-- probably because I haven't had any > > Jaeger yet. > > > > Regarding authentication, how can the front-end server > > authenticate? The > > front end would have to have access to AD, which you would > > never do through > > the DMZ - that'd be nuts... Or is that just an example of > > where chaining in > > and of itself serves a purpose? I'm thinking to just keep > > the internal > > back-end guy thinking the DMZ is the internet as I did before. > > > > Regarding the "config the back end not to perform name > > resolution," how do I > > do that? That's a new one on me. > > > > t > > > > > > > > ----- Original Message ----- > > From: "Jim Harrison" <Jim@xxxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Sunday, December 04, 2005 9:42 AM > > Subject: [isalist] RE: To Chain, or Not To Chain? > > > > > > > http://www.ISAserver.org > > > > > > Er - I think you mean "configure only the front-end > > firewall to perform > > > name resolution"? > > > If the back-end does name resolution, this will slow your ISA > > > considerably. > > > > > > -----Original Message----- > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > > Sent: Sunday, December 04, 2005 8:55 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: To Chain, or Not To Chain? > > > > > > http://www.ISAserver.org > > > > > > If you chain, you can authenticate. Otherwise, you use only > > IP address > > > based access control. > > > > > > Configure only the back-end ISA firewall to perform name > resolution. > > > > > > Don't enable caching on the front-end ISA firewall. > > > > > > Now you might say "hey Tom, why not just do Firewall > > chaining if all you > > > want is authenticated connections from the back-end" and > > that would be > > > an excellent question. > > > > > > HTH, > > > Tom > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://spaces.msn.com/members/drisa/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > > **Who is John Galt?** > > > > > > > > > > > >> -----Original Message----- > > >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > >> Sent: Sunday, December 04, 2005 1:54 AM > > >> To: [ISAserver.org Discussion List] > > >> Subject: [isalist] To Chain, or Not To Chain? > > >> > > >> http://www.ISAserver.org > > >> > > >> So, in a back-to-back ISA config, how do you guys configure > > >> web access from > > >> the internal network's border ISA server to the edge > > >> network's ISA server? > > >> Do you tell the internal ISA server to chain to the external > > >> ISA server and > > >> create an allow rule for 8080, or do you just tell the > > >> internal ISA that > > >> it's got a direct connection by pointing the external > > >> interface gateway to > > >> the internal interface of the edge ISA box (with > > >> corresponding rules to > > >> allow the traffic)?? > > >> > > >> I've done it both ways, and am just digging for more info as > > >> to which method > > >> is better than the other and why. > > >> > > >> t > > >> > > >> ----- > > >> "And yet, even if one person finds his way... that means > > >> there is a Way. Even if I personally fail to reach it." > > >> > > >> Mr. Nobusuke Tagomi > > >> Top Place, Ranking Imperial Trade Mission > > >> Pacific States of America > > >> > > >> > > >> ------------------------------------------------------ > > >> List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > >> ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > >> ISA Server FAQ: > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > >> ------------------------------------------------------ > > >> Visit TechGenix.com for more information about our other sites: > > >> http://www.techgenix.com > > >> ------------------------------------------------------ > > >> You are currently subscribed to this ISAserver.org Discussion > > >> List as: tshinder@xxxxxxxxxxxxxxxxxx > > >> To unsubscribe visit > > >> http://www.webelists.com/cgi/lyris.pl?enter=isalist > > >> Report abuse to listadmin@xxxxxxxxxxxxx > > >> > > >> > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > thor@xxxxxxxxxxxxxxx > > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >