RE: To Chain, or Not To Chain?

From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Mon, 5 Dec 2005 09:00:10 -0600
Now you tell me. ;P

What did you decide to do?

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
> Sent: Sunday, December 04, 2005 4:56 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: To Chain, or Not To Chain?
> 
> http://www.ISAserver.org
> 
> Never mind.  I've got it all worked out.
> 
> Thanks.
> t
> 
> 
> 
> ----- Original Message ----- 
> From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Sunday, December 04, 2005 2:13 PM
> Subject: [isalist] RE: To Chain, or Not To Chain?
> 
> 
> > http://www.ISAserver.org
> >
> > Wait- I think I've got it backwards, or Microsoft does, anyway:
> >
> > "A downstream ISA Server server is configured to chain Web 
> proxy requests 
> > to the upstream server."  They are calling the edge box 
> "upstream" it 
> > looks like.
> >
> > I don't think of it like that... Maybe it's my ego, but I 
> always refer to 
> > things going away from me as "down."  My self-perspective 
> is "up."  "I'll 
> > be down to see you."  "Yes, I can do down there and get 
> that."  "Don't 
> > bring me down."  "Hey baby, let's get down." "I'm down with that."
> >
> > Can I get a witness?
> >
> > t
> >
> >
> > ----- Original Message ----- 
> > From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Sunday, December 04, 2005 1:33 PM
> > Subject: [isalist] RE: To Chain, or Not To Chain?
> >
> >
> >> http://www.ISAserver.org
> >>
> >> Yes, I agree about the terminology... So, just to be sure, 
> both of these 
> >> articles regard the "downstream" ISA box.  That would be 
> the "edge," 
> >> "external," "front-end" ISA box that is Internet facing, right??
> >>
> >> [Internal Net] -> [Back-End ISA] -> [DMZ] -> [Front-End ISA] -> 
> >> [Internet]
> >>
> >> These articles are for what is listed as [Front-End ISA] 
> above, correct?
> >>
> >> Which means, if I chain the [Back-End ISA] to the 
> [Front-End ISA], and 
> >> then use the script to disable name resolution as 
> described in the 2nd 
> >> link you provided, the hotfix referenced in the first link is not 
> >> necessary, right???
> >>
> >> t
> >>
> >> ----- Original Message ----- 
> >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> >> Sent: Sunday, December 04, 2005 12:17 PM
> >> Subject: [isalist] RE: To Chain, or Not To Chain?
> >>
> >>
> >> http://www.ISAserver.org
> >>
> >> You use a local account on the front-end ISA firewall, and have the
> >> back-end ISA firewall use the local account to authenticate.
> >>
> >> So, no Active Directory access is required.
> >>
> >> Actually, if your DNS is well-designed (i.e., your 
> internal DNS server
> >> can resolve Internet host names) you can allow the 
> back-end to resolve
> >> names) you won't have problems. Check out
> >> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;292018
>  for more
> >> info.
> >>
> >> I don't see any reason to have the front-end perform name 
> resolution,
> >> since the access controls are being done on the back-end. Check out
> >> 
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/dis
> ablenamere
> >> solution.mspx
> >>
> >> The problem I have is with the terminology. Downstream and 
> upstream are
> >> good when talking about rivers and streams, where the "flow" is
> >> unidirectional. But is a bit confusing with network 
> connections, where
> >> are bidirectional :)
> >>
> >>
> >>
> >> Thomas W Shinder, M.D.
> >> Site: www.isaserver.org
> >> Blog: http://spaces.msn.com/members/drisa/
> >> Book: http://tinyurl.com/3xqb7
> >> MVP -- ISA Firewalls
> >> **Who is John Galt?**
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >>> Sent: Sunday, December 04, 2005 1:47 PM
> >>> To: [ISAserver.org Discussion List]
> >>> Subject: [isalist] RE: To Chain, or Not To Chain?
> >>>
> >>> http://www.ISAserver.org
> >>>
> >>> OK- I'm a bit confused-- probably because I haven't had any
> >>> Jaeger yet.
> >>>
> >>> Regarding authentication, how can the front-end server
> >>> authenticate?  The
> >>> front end would have to have access to AD, which you would
> >>> never do through
> >>> the DMZ - that'd be nuts...  Or is that just an example of
> >>> where chaining in
> >>> and of itself serves a purpose?  I'm thinking to just keep
> >>> the internal
> >>> back-end guy thinking the DMZ is the internet as I did before.
> >>>
> >>> Regarding the "config the back end not to perform name
> >>> resolution," how do I
> >>> do that?  That's a new one on me.
> >>>
> >>> t
> >>>
> >>>
> >>>
> >>> ----- Original Message ----- 
> >>> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> >>> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> >>> Sent: Sunday, December 04, 2005 9:42 AM
> >>> Subject: [isalist] RE: To Chain, or Not To Chain?
> >>>
> >>>
> >>> > http://www.ISAserver.org
> >>> >
> >>> > Er - I think you mean "configure only the front-end
> >>> firewall to perform
> >>> > name resolution"?
> >>> > If the back-end does name resolution, this will slow your ISA
> >>> > considerably.
> >>> >
> >>> > -----Original Message-----
> >>> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> >>> > Sent: Sunday, December 04, 2005 8:55 AM
> >>> > To: [ISAserver.org Discussion List]
> >>> > Subject: [isalist] RE: To Chain, or Not To Chain?
> >>> >
> >>> > http://www.ISAserver.org
> >>> >
> >>> > If you chain, you can authenticate. Otherwise, you use only
> >>> IP address
> >>> > based access control.
> >>> >
> >>> > Configure only the back-end ISA firewall to perform 
> name resolution.
> >>> >
> >>> > Don't enable caching on the front-end ISA firewall.
> >>> >
> >>> > Now you might say "hey Tom, why not just do Firewall
> >>> chaining if all you
> >>> > want is authenticated connections from the back-end" and
> >>> that would be
> >>> > an excellent question.
> >>> >
> >>> > HTH,
> >>> > Tom
> >>> >
> >>> > Thomas W Shinder, M.D.
> >>> > Site: www.isaserver.org
> >>> > Blog: http://spaces.msn.com/members/drisa/
> >>> > Book: http://tinyurl.com/3xqb7
> >>> > MVP -- ISA Firewalls
> >>> > **Who is John Galt?**
> >>> >
> >>> >
> >>> >
> >>> >> -----Original Message-----
> >>> >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >>> >> Sent: Sunday, December 04, 2005 1:54 AM
> >>> >> To: [ISAserver.org Discussion List]
> >>> >> Subject: [isalist] To Chain, or Not To Chain?
> >>> >>
> >>> >> http://www.ISAserver.org
> >>> >>
> >>> >> So, in a back-to-back ISA config, how do you guys configure
> >>> >> web access from
> >>> >> the internal network's border ISA server to the edge
> >>> >> network's ISA server?
> >>> >> Do you tell the internal ISA server to chain to the external
> >>> >> ISA server and
> >>> >> create an allow rule for 8080, or do you just tell the
> >>> >> internal ISA that
> >>> >> it's got a direct connection by pointing the external
> >>> >> interface gateway to
> >>> >> the internal interface of the edge ISA box (with
> >>> >> corresponding rules to
> >>> >> allow the traffic)??
> >>> >>
> >>> >> I've done it both ways, and am just digging for more info as
> >>> >> to which method
> >>> >> is better than the other and why.
> >>> >>
> >>> >> t
> >>> >>
> >>> >> -----
> >>> >> "And yet, even if one person finds his way... that means
> >>> >> there is a Way.  Even if I personally fail to reach it."
> >>> >>
> >>> >> Mr. Nobusuke Tagomi
> >>> >> Top Place, Ranking Imperial Trade Mission
> >>> >> Pacific States of America
> >>> >>
> >>> >>
> >>> >> ------------------------------------------------------
> >>> >> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >>> >> ISA Server Newsletter:
> >>> http://www.isaserver.org/pages/newsletter.asp
> >>> >> ISA Server FAQ:
> >>> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >>> >> ------------------------------------------------------
> >>> >> Visit TechGenix.com for more information about our other sites:
> >>> >> http://www.techgenix.com
> >>> >> ------------------------------------------------------
> >>> >> You are currently subscribed to this ISAserver.org Discussion
> >>> >> List as: tshinder@xxxxxxxxxxxxxxxxxx
> >>> >> To unsubscribe visit
> >>> >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >>> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>> >>
> >>> >>
> >>> >
> >>> > ------------------------------------------------------
> >>> > List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >>> > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> >>> > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >>> > ------------------------------------------------------
> >>> > Visit TechGenix.com for more information about our other sites:
> >>> > http://www.techgenix.com
> >>> > ------------------------------------------------------
> >>> > You are currently subscribed to this ISAserver.org
> >>> Discussion List as:
> >>> > jim@xxxxxxxxxxxx
> >>> > To unsubscribe visit
> >>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >>> > Report abuse to listadmin@xxxxxxxxxxxxx
> >>> >
> >>> > All mail to and from this domain is GFI-scanned.
> >>> >
> >>> >
> >>> > ------------------------------------------------------
> >>> > List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >>> > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> >>> > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >>> > ------------------------------------------------------
> >>> > Visit TechGenix.com for more information about our other sites:
> >>> > http://www.techgenix.com
> >>> > ------------------------------------------------------
> >>> > You are currently subscribed to this ISAserver.org
> >>> Discussion List as:
> >>> > thor@xxxxxxxxxxxxxxx
> >>> > To unsubscribe visit
> >>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >>> > Report abuse to listadmin@xxxxxxxxxxxxx
> >>> >
> >>> >
> >>>
> >>>
> >>> ------------------------------------------------------
> >>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >>> ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> >>> ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >>> ------------------------------------------------------
> >>> Visit TechGenix.com for more information about our other sites:
> >>> http://www.techgenix.com
> >>> ------------------------------------------------------
> >>> You are currently subscribed to this ISAserver.org Discussion
> >>> List as: tshinder@xxxxxxxxxxxxxxxxxx
> >>> To unsubscribe visit
> >>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >>> Report abuse to listadmin@xxxxxxxxxxxxx
> >>>
> >>>
> >>
> >> ------------------------------------------------------
> >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> You are currently subscribed to this ISAserver.org 
> Discussion List as: 
> >> thor@xxxxxxxxxxxxxxx
> >> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >>
> >> ------------------------------------------------------
> >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> You are currently subscribed to this ISAserver.org 
> Discussion List as: 
> >> thor@xxxxxxxxxxxxxxx
> >> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as: 
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
>
RE: To Chain, or Not To Chain?

Other related posts:
