RE: To Chain, or Not To Chain?
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 5 Dec 2005 08:57:04 -0600
Hi Tim,
Yes, I think. At least that's how I've interepreted them. Also, I think
these article refer to scenarios that are a bit different than what
we're thinking of, and apply to large orgs that use the ISA firewall as
Proxy 4.0, instead of ISA 2004, and not in a back to back firewall
configuration. In that case, the name resolution issues are quite a bit
different than those we're working with in your back to back ISA
firewall scenario.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Sunday, December 04, 2005 3:34 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: To Chain, or Not To Chain?
>
> http://www.ISAserver.org
>
> Yes, I agree about the terminology... So, just to be sure,
> both of these
> articles regard the "downstream" ISA box. That would be the "edge,"
> "external," "front-end" ISA box that is Internet facing, right??
>
> [Internal Net] -> [Back-End ISA] -> [DMZ] -> [Front-End ISA]
> -> [Internet]
>
> These articles are for what is listed as [Front-End ISA]
> above, correct?
>
> Which means, if I chain the [Back-End ISA] to the [Front-End
> ISA], and then
> use the script to disable name resolution as described in the
> 2nd link you
> provided, the hotfix referenced in the first link is not
> necessary, right???
>
> t
>
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Sunday, December 04, 2005 12:17 PM
> Subject: [isalist] RE: To Chain, or Not To Chain?
>
>
> http://www.ISAserver.org
>
> You use a local account on the front-end ISA firewall, and have the
> back-end ISA firewall use the local account to authenticate.
>
> So, no Active Directory access is required.
>
> Actually, if your DNS is well-designed (i.e., your internal DNS server
> can resolve Internet host names) you can allow the back-end to resolve
> names) you won't have problems. Check out
> http://support.microsoft.com/default.aspx?scid=kb;en-us;292018
> for more
> info.
>
> I don't see any reason to have the front-end perform name resolution,
> since the access controls are being done on the back-end. Check out
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/dis
> ablenamere
> solution.mspx
>
> The problem I have is with the terminology. Downstream and
> upstream are
> good when talking about rivers and streams, where the "flow" is
> unidirectional. But is a bit confusing with network connections, where
> are bidirectional :)
>
>
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Sunday, December 04, 2005 1:47 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: To Chain, or Not To Chain?
> >
> > http://www.ISAserver.org
> >
> > OK- I'm a bit confused-- probably because I haven't had any
> > Jaeger yet.
> >
> > Regarding authentication, how can the front-end server
> > authenticate? The
> > front end would have to have access to AD, which you would
> > never do through
> > the DMZ - that'd be nuts... Or is that just an example of
> > where chaining in
> > and of itself serves a purpose? I'm thinking to just keep
> > the internal
> > back-end guy thinking the DMZ is the internet as I did before.
> >
> > Regarding the "config the back end not to perform name
> > resolution," how do I
> > do that? That's a new one on me.
> >
> > t
> >
> >
> >
> > ----- Original Message -----
> > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Sunday, December 04, 2005 9:42 AM
> > Subject: [isalist] RE: To Chain, or Not To Chain?
> >
> >
> > > http://www.ISAserver.org
> > >
> > > Er - I think you mean "configure only the front-end
> > firewall to perform
> > > name resolution"?
> > > If the back-end does name resolution, this will slow your ISA
> > > considerably.
> > >
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: Sunday, December 04, 2005 8:55 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: To Chain, or Not To Chain?
> > >
> > > http://www.ISAserver.org
> > >
> > > If you chain, you can authenticate. Otherwise, you use only
> > IP address
> > > based access control.
> > >
> > > Configure only the back-end ISA firewall to perform name
> resolution.
> > >
> > > Don't enable caching on the front-end ISA firewall.
> > >
> > > Now you might say "hey Tom, why not just do Firewall
> > chaining if all you
> > > want is authenticated connections from the back-end" and
> > that would be
> > > an excellent question.
> > >
> > > HTH,
> > > Tom
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > **Who is John Galt?**
> > >
> > >
> > >
> > >> -----Original Message-----
> > >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > >> Sent: Sunday, December 04, 2005 1:54 AM
> > >> To: [ISAserver.org Discussion List]
> > >> Subject: [isalist] To Chain, or Not To Chain?
> > >>
> > >> http://www.ISAserver.org
> > >>
> > >> So, in a back-to-back ISA config, how do you guys configure
> > >> web access from
> > >> the internal network's border ISA server to the edge
> > >> network's ISA server?
> > >> Do you tell the internal ISA server to chain to the external
> > >> ISA server and
> > >> create an allow rule for 8080, or do you just tell the
> > >> internal ISA that
> > >> it's got a direct connection by pointing the external
> > >> interface gateway to
> > >> the internal interface of the edge ISA box (with
> > >> corresponding rules to
> > >> allow the traffic)??
> > >>
> > >> I've done it both ways, and am just digging for more info as
> > >> to which method
> > >> is better than the other and why.
> > >>
> > >> t
> > >>
> > >> -----
> > >> "And yet, even if one person finds his way... that means
> > >> there is a Way. Even if I personally fail to reach it."
> > >>
> > >> Mr. Nobusuke Tagomi
> > >> Top Place, Ranking Imperial Trade Mission
> > >> Pacific States of America
> > >>
> > >>
> > >> ------------------------------------------------------
> > >> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > >> ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > >> ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > >> ------------------------------------------------------
> > >> Visit TechGenix.com for more information about our other sites:
> > >> http://www.techgenix.com
> > >> ------------------------------------------------------
> > >> You are currently subscribed to this ISAserver.org Discussion
> > >> List as: tshinder@xxxxxxxxxxxxxxxxxx
> > >> To unsubscribe visit
> > >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > >> Report abuse to listadmin@xxxxxxxxxxxxx
> > >>
> > >>
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > thor@xxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
- » To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
- » RE: To Chain, or Not To Chain?
