RE: To Chain, or Not To Chain?

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Sun, 4 Dec 2005 12:00:54 -0600

Christmas holiday cheer and relatives, which required some frontal lobe
anesthesia to handle the situation.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Sunday, December 04, 2005 11:59 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: To Chain, or Not To Chain?
> 
> http://www.ISAserver.org
> 
> You haven't finished your first cup by 0855?
> I'm nearly done with the whole pot by then...
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: Sunday, December 04, 2005 9:56 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: To Chain, or Not To Chain?
> 
> http://www.ISAserver.org
> 
> Yes, isn't that what I said?
> 
> Hmmm. That's what I get for not waiting for the first cup of 
> Joe to kick
> in.
> 
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
>  
> 
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > Sent: Sunday, December 04, 2005 11:42 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: To Chain, or Not To Chain?
> > 
> > http://www.ISAserver.org
> > 
> > Er - I think you mean "configure only the front-end firewall 
> > to perform
> > name resolution"?
> > If the back-end does name resolution, this will slow your ISA
> > considerably.
> > 
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> > Sent: Sunday, December 04, 2005 8:55 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: To Chain, or Not To Chain?
> > 
> > http://www.ISAserver.org
> > 
> > If you chain, you can authenticate. Otherwise, you use only 
> IP address
> > based access control.
> > 
> > Configure only the back-end ISA firewall to perform name resolution.
> > 
> > Don't enable caching on the front-end ISA firewall.
> > 
> > Now you might say "hey Tom, why not just do Firewall chaining 
> > if all you
> > want is authenticated connections from the back-end" and 
> that would be
> > an excellent question.
> > 
> > HTH,
> > Tom
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
> > > Sent: Sunday, December 04, 2005 1:54 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] To Chain, or Not To Chain?
> > > 
> > > http://www.ISAserver.org
> > > 
> > > So, in a back-to-back ISA config, how do you guys configure 
> > > web access from 
> > > the internal network's border ISA server to the edge 
> > > network's ISA server? 
> > > Do you tell the internal ISA server to chain to the external 
> > > ISA server and 
> > > create an allow rule for 8080, or do you just tell the 
> > > internal ISA that 
> > > it's got a direct connection by pointing the external 
> > > interface gateway to 
> > > the internal interface of the edge ISA box (with 
> > > corresponding rules to 
> > > allow the traffic)??
> > > 
> > > I've done it both ways, and am just digging for more info as 
> > > to which method 
> > > is better than the other and why.
> > > 
> > > t
> > > 
> > > -----
> > > "And yet, even if one person finds his way... that means
> > > there is a Way.  Even if I personally fail to reach it."
> > > 
> > > Mr. Nobusuke Tagomi
> > > Top Place, Ranking Imperial Trade Mission
> > > Pacific States of America
> > > 
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion 
> > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit 
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > 
> > > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
>

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 12-2005