RE: Why Tom recommended NOT to use a gateway for FW Clients
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 28 Nov 2001 17:33:13 -0800
If you have a routed network, then you need to look at:
http://www.isaserver.org/pages/tutorials/isanetworks.htm
Jim Harrison
MCP(NT4, 2K), A+, Network+, PCG
----- Original Message -----
From: "Armando Treviño López" <armando.trevino@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, November 28, 2001 11:54
Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW
Clients
http://www.ISAserver.org
Another issue is that if you configure all computers as SNAT clients, all IP
traffic is routed by the ISA server (Not only internet, but also intranet
traffic if you have different networks in your LAN or WAN).
So maybe this will use more server resources.
I haven't tried so I don't know how much it affects.
What we are doing is configure SNAT only in MAC clients (which use Appletalk
for internal communication, and IP only for internet).
In PC clients I think is better to use firewall client.
Armando Treviño
-----Original Message-----
From: Brian Tirch [mailto:btirch@xxxxxxxxxxxx]
Sent: Wednesday, November 28, 2001 9:36 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW
Clients
http://www.ISAserver.org
Put it this way, the firewall client will handle all tcp/udp transaction and
that's about it. If you wish to do other things like ping (icmp) or vpn
(gre) then you need to be a snat client. So think of it as know what it
needs to be when using certain actions
Brian Tirch
Entre Information Services
Mct,mcse4.0/2000,ccna,cca,a+,n+
-----Original Message-----
From: Nigel Carroll [mailto:nigel@xxxxxxxxxxxxxxx]
Sent: Wednesday, November 28, 2001 7:16 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW
Clients
http://www.ISAserver.org
I hear what your saying Jim but my reading strongly suggests that even
if you config a default GW the FW client s\ware will intercept all calls
(inc DNS) and redirect to ISA anyway.
Muqeem suggested that its best to give clients only one way out - again
I understand the logic Muqeem but again the FW client will intercept
anyway and infact configuring your clients with a default GW may be a
good idea since they could fallback to a secureNAT client if something
goes wrong with the FW s\ware.
Any other suggestions?
Nigel
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, 27 November 2001 23:07
Subject: Re: Why Tom recommended NOT to use a gateway for FW Clients
A host with a default route to the ISA via its default gateway becomes a
secureNAT client. If you don't want them to become secureNAT, don't
point
their default gateways to the ISA server.
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
btirch@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
armando.trevino@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
