If you have a routed network, then you need to look at: http://www.isaserver.org/pages/tutorials/isanetworks.htm Jim Harrison MCP(NT4, 2K), A+, Network+, PCG ----- Original Message ----- From: "Armando Treviño López" <armando.trevino@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, November 28, 2001 11:54 Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW Clients http://www.ISAserver.org Another issue is that if you configure all computers as SNAT clients, all IP traffic is routed by the ISA server (Not only internet, but also intranet traffic if you have different networks in your LAN or WAN). So maybe this will use more server resources. I haven't tried so I don't know how much it affects. What we are doing is configure SNAT only in MAC clients (which use Appletalk for internal communication, and IP only for internet). In PC clients I think is better to use firewall client. Armando Treviño -----Original Message----- From: Brian Tirch [mailto:btirch@xxxxxxxxxxxx] Sent: Wednesday, November 28, 2001 9:36 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW Clients http://www.ISAserver.org Put it this way, the firewall client will handle all tcp/udp transaction and that's about it. If you wish to do other things like ping (icmp) or vpn (gre) then you need to be a snat client. So think of it as know what it needs to be when using certain actions Brian Tirch Entre Information Services Mct,mcse4.0/2000,ccna,cca,a+,n+ -----Original Message----- From: Nigel Carroll [mailto:nigel@xxxxxxxxxxxxxxx] Sent: Wednesday, November 28, 2001 7:16 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW Clients http://www.ISAserver.org I hear what your saying Jim but my reading strongly suggests that even if you config a default GW the FW client s\ware will intercept all calls (inc DNS) and redirect to ISA anyway. Muqeem suggested that its best to give clients only one way out - again I understand the logic Muqeem but again the FW client will intercept anyway and infact configuring your clients with a default GW may be a good idea since they could fallback to a secureNAT client if something goes wrong with the FW s\ware. Any other suggestions? Nigel -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, 27 November 2001 23:07 Subject: Re: Why Tom recommended NOT to use a gateway for FW Clients A host with a default route to the ISA via its default gateway becomes a secureNAT client. If you don't want them to become secureNAT, don't point their default gateways to the ISA server. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: btirch@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: armando.trevino@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')