Now you tell me. ;P What did you decide to do? Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Sunday, December 04, 2005 4:56 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: To Chain, or Not To Chain? > > http://www.ISAserver.org > > Never mind. I've got it all worked out. > > Thanks. > t > > > > ----- Original Message ----- > From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Sunday, December 04, 2005 2:13 PM > Subject: [isalist] RE: To Chain, or Not To Chain? > > > > http://www.ISAserver.org > > > > Wait- I think I've got it backwards, or Microsoft does, anyway: > > > > "A downstream ISA Server server is configured to chain Web > proxy requests > > to the upstream server." They are calling the edge box > "upstream" it > > looks like. > > > > I don't think of it like that... Maybe it's my ego, but I > always refer to > > things going away from me as "down." My self-perspective > is "up." "I'll > > be down to see you." "Yes, I can do down there and get > that." "Don't > > bring me down." "Hey baby, let's get down." "I'm down with that." > > > > Can I get a witness? > > > > t > > > > > > ----- Original Message ----- > > From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Sunday, December 04, 2005 1:33 PM > > Subject: [isalist] RE: To Chain, or Not To Chain? > > > > > >> http://www.ISAserver.org > >> > >> Yes, I agree about the terminology... So, just to be sure, > both of these > >> articles regard the "downstream" ISA box. That would be > the "edge," > >> "external," "front-end" ISA box that is Internet facing, right?? > >> > >> [Internal Net] -> [Back-End ISA] -> [DMZ] -> [Front-End ISA] -> > >> [Internet] > >> > >> These articles are for what is listed as [Front-End ISA] > above, correct? > >> > >> Which means, if I chain the [Back-End ISA] to the > [Front-End ISA], and > >> then use the script to disable name resolution as > described in the 2nd > >> link you provided, the hotfix referenced in the first link is not > >> necessary, right??? > >> > >> t > >> > >> ----- Original Message ----- > >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > >> Sent: Sunday, December 04, 2005 12:17 PM > >> Subject: [isalist] RE: To Chain, or Not To Chain? > >> > >> > >> http://www.ISAserver.org > >> > >> You use a local account on the front-end ISA firewall, and have the > >> back-end ISA firewall use the local account to authenticate. > >> > >> So, no Active Directory access is required. > >> > >> Actually, if your DNS is well-designed (i.e., your > internal DNS server > >> can resolve Internet host names) you can allow the > back-end to resolve > >> names) you won't have problems. Check out > >> > http://support.microsoft.com/default.aspx?scid=kb;en-us;292018 > for more > >> info. > >> > >> I don't see any reason to have the front-end perform name > resolution, > >> since the access controls are being done on the back-end. Check out > >> > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/dis > ablenamere > >> solution.mspx > >> > >> The problem I have is with the terminology. Downstream and > upstream are > >> good when talking about rivers and streams, where the "flow" is > >> unidirectional. But is a bit confusing with network > connections, where > >> are bidirectional :) > >> > >> > >> > >> Thomas W Shinder, M.D. > >> Site: www.isaserver.org > >> Blog: http://spaces.msn.com/members/drisa/ > >> Book: http://tinyurl.com/3xqb7 > >> MVP -- ISA Firewalls > >> **Who is John Galt?** > >> > >> > >> > >>> -----Original Message----- > >>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > >>> Sent: Sunday, December 04, 2005 1:47 PM > >>> To: [ISAserver.org Discussion List] > >>> Subject: [isalist] RE: To Chain, or Not To Chain? > >>> > >>> http://www.ISAserver.org > >>> > >>> OK- I'm a bit confused-- probably because I haven't had any > >>> Jaeger yet. > >>> > >>> Regarding authentication, how can the front-end server > >>> authenticate? The > >>> front end would have to have access to AD, which you would > >>> never do through > >>> the DMZ - that'd be nuts... Or is that just an example of > >>> where chaining in > >>> and of itself serves a purpose? I'm thinking to just keep > >>> the internal > >>> back-end guy thinking the DMZ is the internet as I did before. > >>> > >>> Regarding the "config the back end not to perform name > >>> resolution," how do I > >>> do that? That's a new one on me. > >>> > >>> t > >>> > >>> > >>> > >>> ----- Original Message ----- > >>> From: "Jim Harrison" <Jim@xxxxxxxxxxxx> > >>> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > >>> Sent: Sunday, December 04, 2005 9:42 AM > >>> Subject: [isalist] RE: To Chain, or Not To Chain? > >>> > >>> > >>> > http://www.ISAserver.org > >>> > > >>> > Er - I think you mean "configure only the front-end > >>> firewall to perform > >>> > name resolution"? > >>> > If the back-end does name resolution, this will slow your ISA > >>> > considerably. > >>> > > >>> > -----Original Message----- > >>> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > >>> > Sent: Sunday, December 04, 2005 8:55 AM > >>> > To: [ISAserver.org Discussion List] > >>> > Subject: [isalist] RE: To Chain, or Not To Chain? > >>> > > >>> > http://www.ISAserver.org > >>> > > >>> > If you chain, you can authenticate. Otherwise, you use only > >>> IP address > >>> > based access control. > >>> > > >>> > Configure only the back-end ISA firewall to perform > name resolution. > >>> > > >>> > Don't enable caching on the front-end ISA firewall. > >>> > > >>> > Now you might say "hey Tom, why not just do Firewall > >>> chaining if all you > >>> > want is authenticated connections from the back-end" and > >>> that would be > >>> > an excellent question. > >>> > > >>> > HTH, > >>> > Tom > >>> > > >>> > Thomas W Shinder, M.D. > >>> > Site: www.isaserver.org > >>> > Blog: http://spaces.msn.com/members/drisa/ > >>> > Book: http://tinyurl.com/3xqb7 > >>> > MVP -- ISA Firewalls > >>> > **Who is John Galt?** > >>> > > >>> > > >>> > > >>> >> -----Original Message----- > >>> >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > >>> >> Sent: Sunday, December 04, 2005 1:54 AM > >>> >> To: [ISAserver.org Discussion List] > >>> >> Subject: [isalist] To Chain, or Not To Chain? > >>> >> > >>> >> http://www.ISAserver.org > >>> >> > >>> >> So, in a back-to-back ISA config, how do you guys configure > >>> >> web access from > >>> >> the internal network's border ISA server to the edge > >>> >> network's ISA server? > >>> >> Do you tell the internal ISA server to chain to the external > >>> >> ISA server and > >>> >> create an allow rule for 8080, or do you just tell the > >>> >> internal ISA that > >>> >> it's got a direct connection by pointing the external > >>> >> interface gateway to > >>> >> the internal interface of the edge ISA box (with > >>> >> corresponding rules to > >>> >> allow the traffic)?? > >>> >> > >>> >> I've done it both ways, and am just digging for more info as > >>> >> to which method > >>> >> is better than the other and why. > >>> >> > >>> >> t > >>> >> > >>> >> ----- > >>> >> "And yet, even if one person finds his way... that means > >>> >> there is a Way. Even if I personally fail to reach it." > >>> >> > >>> >> Mr. Nobusuke Tagomi > >>> >> Top Place, Ranking Imperial Trade Mission > >>> >> Pacific States of America > >>> >> > >>> >> > >>> >> ------------------------------------------------------ > >>> >> List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > >>> >> ISA Server Newsletter: > >>> http://www.isaserver.org/pages/newsletter.asp > >>> >> ISA Server FAQ: > >>> http://www.isaserver.org/pages/larticle.asp?type=FAQ > >>> >> ------------------------------------------------------ > >>> >> Visit TechGenix.com for more information about our other sites: > >>> >> http://www.techgenix.com > >>> >> ------------------------------------------------------ > >>> >> You are currently subscribed to this ISAserver.org Discussion > >>> >> List as: tshinder@xxxxxxxxxxxxxxxxxx > >>> >> To unsubscribe visit > >>> >> http://www.webelists.com/cgi/lyris.pl?enter=isalist > >>> >> Report abuse to listadmin@xxxxxxxxxxxxx > >>> >> > >>> >> > >>> > > >>> > ------------------------------------------------------ > >>> > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > >>> > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > >>> > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > >>> > ------------------------------------------------------ > >>> > Visit TechGenix.com for more information about our other sites: > >>> > http://www.techgenix.com > >>> > ------------------------------------------------------ > >>> > You are currently subscribed to this ISAserver.org > >>> Discussion List as: > >>> > jim@xxxxxxxxxxxx > >>> > To unsubscribe visit > >>> http://www.webelists.com/cgi/lyris.pl?enter=isalist > >>> > Report abuse to listadmin@xxxxxxxxxxxxx > >>> > > >>> > All mail to and from this domain is GFI-scanned. > >>> > > >>> > > >>> > ------------------------------------------------------ > >>> > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > >>> > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > >>> > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > >>> > ------------------------------------------------------ > >>> > Visit TechGenix.com for more information about our other sites: > >>> > http://www.techgenix.com > >>> > ------------------------------------------------------ > >>> > You are currently subscribed to this ISAserver.org > >>> Discussion List as: > >>> > thor@xxxxxxxxxxxxxxx > >>> > To unsubscribe visit > >>> http://www.webelists.com/cgi/lyris.pl?enter=isalist > >>> > Report abuse to listadmin@xxxxxxxxxxxxx > >>> > > >>> > > >>> > >>> > >>> ------------------------------------------------------ > >>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > >>> ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > >>> ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > >>> ------------------------------------------------------ > >>> Visit TechGenix.com for more information about our other sites: > >>> http://www.techgenix.com > >>> ------------------------------------------------------ > >>> You are currently subscribed to this ISAserver.org Discussion > >>> List as: tshinder@xxxxxxxxxxxxxxxxxx > >>> To unsubscribe visit > >>> http://www.webelists.com/cgi/lyris.pl?enter=isalist > >>> Report abuse to listadmin@xxxxxxxxxxxxx > >>> > >>> > >> > >> ------------------------------------------------------ > >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > >> ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > >> ------------------------------------------------------ > >> Visit TechGenix.com for more information about our other sites: > >> http://www.techgenix.com > >> ------------------------------------------------------ > >> You are currently subscribed to this ISAserver.org > Discussion List as: > >> thor@xxxxxxxxxxxxxxx > >> To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> Report abuse to listadmin@xxxxxxxxxxxxx > >> > >> > >> > >> ------------------------------------------------------ > >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > >> ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > >> ------------------------------------------------------ > >> Visit TechGenix.com for more information about our other sites: > >> http://www.techgenix.com > >> ------------------------------------------------------ > >> You are currently subscribed to this ISAserver.org > Discussion List as: > >> thor@xxxxxxxxxxxxxxx > >> To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> Report abuse to listadmin@xxxxxxxxxxxxx > >> > >> > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > thor@xxxxxxxxxxxxxxx > > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >