[isapros] Re: ISA/IAG Topologies

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Thu, 5 Jun 2008 14:43:14 -0500

Bummer. :(

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)


> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of Jim Harrison
> Sent: Thursday, June 05, 2008 2:40 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA/IAG Topologies
> 
> :-(
> Steve can't make it.
> 
> Jim
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of Thomas W Shinder
> Sent: Thursday, June 05, 2008 12:15 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA/IAG Topologies
> 
> I'll second that! I would be very interesting and some useful
> conclusions could come of it.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
> 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Jim Harrison
> > Sent: Thursday, June 05, 2008 1:32 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA/IAG Topologies
> >
> > Will do!
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Thor (Hammer of God)
> > Sent: Thursday, June 05, 2008 11:23 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA/IAG Topologies
> >
> > You know, an actual "open debate" at Blackhat wouldn't really be a
bad
> > idea.  In fact, I think it would be quite valuable for all involved.
> >
> > Hmmm... Jim, see if Steve is open to it ;)
> >
> > t
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > Sent: Wednesday, June 04, 2008 7:21 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA/IAG Topologies
> > >
> > > I'd like to know the same thing. How does "Direct Connect" mean
the
> > > "death of the DMZ". As far as I can tell, these "Direct Connect"
> > > clients
> > > represent yet another perimeter (DMZ) that we need to deal with
and
> > > manage appropriately.
> > >
> > >
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- Microsoft Firewalls (ISA)
> > >
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > Of Thor (Hammer of God)
> > > > Sent: Wednesday, June 04, 2008 9:03 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > >
> > > > Same thing I was going to say.  But notice the first thing he
says
> > > that
> > > > one MUST have is a DMZ (among other things).  So yes, it's just
a
> > > > different way of saying the same thing.
> > > >
> > > > I have no idea where people get that "DMZ" calls out a
particular
> > > > topology -- it's just a logical concept that manifests itself in
a
> > > > physical network deployment based on the goals of the config.
> > > > Regardless, the whole "direct connect" bit doesn't really
apply...
> > > but,
> > > > what do you say?
> > > >
> > > > t
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > > > Sent: Wednesday, June 04, 2008 5:49 AM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > >
> > > > > Interesting. He goes through a very very long explanation of a
> > > simple
> > > > > concept -- that there are multiple perimeters and that each
> > > perimeter
> > > > > needs to be managed differently.
> > > > >
> > > > > Thomas W Shinder, M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > Book: http://tinyurl.com/3xqb7
> > > > > MVP -- Microsoft Firewalls (ISA)
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > Of Stefaan Pouseele
> > > > > > Sent: Wednesday, June 04, 2008 2:05 AM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > >
> > > > > > What about
> > > > > >
> > > >
> >
http://isc.sans.org/presentations/2006-sansatnight-notes-optimez.pdf?
> > > > > >
> > > > > > Stefaan
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> > > > > > Behalf Of Jason Jones
> > > > > > Sent: woensdag 4 juni 2008 1:17
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > >
> > > > > > Does 'Direct connect' fall into a similar category as SSL
VPN
> > > where
> > > > > they are
> > > > > > really providing a "transport solution", as opposed to a
> > > "security
> > > > > > solution"?
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> > > > > > Behalf Of Thomas W Shinder
> > > > > > Sent: 04 June 2008 00:11
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > >
> > > > > > Bam!!! Exactly. That is where my thinking was going in this
> > > > > direction.
> > > > > I
> > > > > > don't see how "Direct Connect" is going to solve anything
> other
> > > than
> > > > > > creating a more difficult to solve problem.
> > > > > >
> > > > > > "I pity the foo"
> > > > > >
> > > > > > Thomas W Shinder, M.D.
> > > > > > Site: www.isaserver.org
> > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > Of Thor (Hammer of God)
> > > > > > > Sent: Tuesday, June 03, 2008 6:03 PM
> > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > >
> > > > > > > Of course (just saw this one ;).
> > > > > > >
> > > > > > > Direct Access IPSec into the network still affords full
> stack
> > > > > access.
> > > > > > > And it does nothing for untrusted, anonymous access to
> assets
> > > that
> > > > > > > should be configured as such.  IPv6 and IPSec will not
> "kill"
> > > the
> > > > > need
> > > > > > > for least privilege and security in depth.  I'm actually
> quite
> > > > > > > disappointed that I am seeing professionals let the
> excitement
> > > of
> > > > > "new
> > > > > > > technologies" override the need for and importance of core
> > > > security
> > > > > > > postulates.  Saying that the "DMZ is Dead" is foolish, and
> > > nothing
> > > > > > more
> > > > > > > than "Oh, I have something cool to talk about at
> conferences"
> > > > > fodder.
> > > > > > > Or, as Mr. T calls it, "Jibba Jabba."
> > > > > > >
> > > > > > > t
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > > > > > Sent: Tuesday, June 03, 2008 9:01 AM
> > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > >
> > > > > > > > (hee-hee)
> > > > > > > > I'd love to get you into the discussion happing in the
> > > product
> > > > > > > security
> > > > > > > > alias...
> > > > > > > > Can I put you & Steve Riley in the same room for 10
> minutes?
> > > > > > > >
> > > > > > > > Jim
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> > > > > > > > Sent: Tuesday, June 03, 2008 8:59 AM
> > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > >
> > > > > > > > The "DMZ" is alive and well.  Misconceptions of what a
DMZ
> > > is,
> > > > or
> > > > > > what
> > > > > > > > the term means, or how it should be deployed and
> maintained
> > > does
> > > > > not
> > > > > > > > affect the absolute need for such a topology.  Anyone
who
> > > says
> > > > > "The
> > > > > > > DMZ
> > > > > > > > is dead" is either foolishly hanging on to semantics, or
> > they
> > > > > simply
> > > > > > > do
> > > > > > > > not understand what it is for....
> > > > > > > >
> > > > > > > >
> > > > > > > > t
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > > > > > > > Sent: Tuesday, June 03, 2008 8:21 AM
> > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > >
> > > > > > > > > Hi Amy,
> > > > > > > > >
> > > > > > > > > You may have noticed I used the phrase " ISA protected
> > > > > perimeter
> > > > > > > > > network" as I know from bitter experience what you
guys
> > are
> > > > > like
> > > > > > > when
> > > > > > > > I
> > > > > > > > > mention the dreaded DMZ word! :-P
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > > > > > > > > Sent: 03 June 2008 15:17
> > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > >
> > > > > > > > > The newb and even those that shouldn't be newb have a
> > > > difficult
> > > > > > time
> > > > > > > > > understand the basic concept of an authenticated DMZ.
To
> > > most
> > > > > DMZ
> > > > > > > > means
> > > > > > > > > that you stick the server out there naked. Press the
DMZ
> > > > button
> > > > > > and
> > > > > > > > > allow full access to the server. Don't bother to patch
> it
> > > > > because
> > > > > > > > > you'll probably have to re-image it from time to time
> > > anyway,
> > > > > > since
> > > > > > > > > it's being constantly hacked upon.
> > > > > > > > >
> > > > > > > > > It's this attitude that causes me to say DMZ is dead.
> It's
> > > old
> > > > > > > > outdated
> > > > > > > > > terminology that shouldn't be used anymore. ISA may
have
> > > the
> > > > > > ability
> > > > > > > > to
> > > > > > > > > authenticate and protect servers in the DMZ but most
> > don't.
> > > I
> > > > > > really
> > > > > > > > > think that ISA needs a new term.
> > > > > > > > >
> > > > > > > > > thanks,
> > > > > > > > >
> > > > > > > > > Amy Babinchak
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Harbor Computer Services |(248) 850-8616
> > > > > > > > >
> > > > > > > > > Learn about the perfect storm of rebates: June 10th at
> > > 9:00am
> > > > > and
> > > > > > > > save
> > > > > > > > > money on your SBS 2008 upgrade.
> > > > > > > > > Join the meeting.
> > > > > > > > > Conference Bridge 866-500-6738  PC:  3876393
> > > > > > > > >
> > > > > > > > > Tech Blog http://securesmb.harborcomputerservices.net
> > > > > > > > > Client Blog http://smalltechnotes.blogspot.com
> > > > > > > > > Website http://www.harborcomputerservices.net
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > > > > > > > Sent: Tuesday, June 03, 2008 10:11 AM
> > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > >
> > > > > > > > > Yo Jim,
> > > > > > > > >
> > > > > > > > > Now that is an interesting topic. A paper airplane is
> > > simple
> > > > > > > compared
> > > > > > > > > to
> > > > > > > > > a B1 bomber, but I'd argue that the B1 probably
provides
> a
> > > > > higher
> > > > > > > > level
> > > > > > > > > of security :)
> > > > > > > > >
> > > > > > > > > Bringing the analogy down a bit, "complexity" is
> operator
> > > > > > dependent.
> > > > > > > > > Creating anonymous and authenticated access DMZs is
> simple
> > > for
> > > > > us,
> > > > > > > > but
> > > > > > > > > complex for the ISA firewall neophyte. Does that mean
> the
> > > auth
> > > > > and
> > > > > > > > anon
> > > > > > > > > DMZ concept is not secure? Or is it secure for us, but
> not
> > > > > secure
> > > > > > > for
> > > > > > > > > nEwB?
> > > > > > > > >
> > > > > > > > > Just playing with the idea of "complexity is the enemy
> of
> > > > > > security".
> > > > > > > > It
> > > > > > > > > sounds right to me, just trying to figure out the
> > corrolary
> > > > > > > > arguments.
> > > > > > > > >
> > > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > > Site: www.isaserver.org
> > > > > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > Of Jim Harrison
> > > > > > > > > > Sent: Tuesday, June 03, 2008 9:00 AM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > > Since "better" is subjective, I'd be more inclined
to
> > > call
> > > > it
> > > > > > > > > "better-isolated".
> > > > > > > > > > In general, any time you can functionally isolate
> > > (whether
> > > > > this
> > > > > > is
> > > > > > > > > literal isolation is
> > > > > > > > > > another discussion) inbound and outbound traffic,
your
> > > > > firewall
> > > > > > > > > policies and
> > > > > > > > > > requirements become simplified.  It's a given that
> since
> > > > > > > complexity
> > > > > > > > > increases the odds
> > > > > > > > > > of human error, complexity must therefore be the
enemy
> > of
> > > > > > > security.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > Of Jason Jones
> > > > > > > > > > Sent: Tuesday, June 03, 2008 3:35 AM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > > So, in this scenario, I am right to consider a
> combined
> > > > > solution
> > > > > > > to
> > > > > > > > > get a "better"
> > > > > > > > > > security solution - yes?
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > Of Jim Harrison
> > > > > > > > > > Sent: 02 June 2008 16:43
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > > MS separates inbound and outbound arrays.
> > > > > > > > > > You're right; IAG sux as a fwd proxy and ISA bows to
> IAG
> > > > > remote
> > > > > > > > > client
> > > > > > > > > trust
> > > > > > > > > > mechanisms.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > Of Jason Jones
> > > > > > > > > > Sent: Monday, June 02, 2008 7:16 AM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > > As ever, I have left out the details until someone
> > > > volunteers
> > > > > to
> > > > > > > > help
> > > > > > > > > J
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > I know that IAG *is* ISA, but in the current
solution
> > set
> > > > the
> > > > > > ISA
> > > > > > > > > "bit" doesn't scale very
> > > > > > > > > > well if you are looking at multiple IAG units to
> protect
> > > a
> > > > > data
> > > > > > > > > centre
> > > > > > > > > for all inbound and
> > > > > > > > > > outbound access. In this sort of scenario, IAG can't
> > > really
> > > > > cut
> > > > > > it
> > > > > > > > on
> > > > > > > > > it's own to facilitate
> > > > > > > > > > system -to-system communications (and authenticated
> > > > > > > > outbound/forward
> > > > > > > > > access) and
> > > > > > > > > > ISA seems much more appropriate. I know ISA could be
> > > > > configured
> > > > > > to
> > > > > > > > do
> > > > > > > > > some of this,
> > > > > > > > > > but having to create firewall policy rules on each
> > > appliance
> > > > > and
> > > > > > > > > synchronise them
> > > > > > > > > > across several IAG appliances doesn't seem very
> elegant
> > > to
> > > > > me...
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > So assuming we are looking at an Internet datacentre
> > > model
> > > > > (e.g.
> > > > > > > > all
> > > > > > > > > the clients and
> > > > > > > > > > untrusted systems are on the outside) I am thinking
> that
> > > > both
> > > > > > IAG
> > > > > > > > and
> > > > > > > > > ISA would be
> > > > > > > > > > needed to provide an elegant solution - yes?
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > In this model, it seemed to make sense to put ISA on
> the
> > > > edge
> > > > > as
> > > > > > > it
> > > > > > > > > can provide LB/HA
> > > > > > > > > > out of the box (with NLB), whereas IAG cannot. ISA
can
> > > then
> > > > > be
> > > > > > > used
> > > > > > > > > for "protection"
> > > > > > > > > > and IPSec VPN with IAG added for more advanced
> > publishing
> > > > > > > > > with/without
> > > > > > > > > endpoint
> > > > > > > > > > checking as required.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > In the above model, I am leaning towards putting the
> > > > external
> > > > > > > > > interface of IAG into an
> > > > > > > > > > ISA anonymous access DMZ, with both devices
connected
> > > > > directly
> > > > > > to
> > > > > > > > the
> > > > > > > > > internal
> > > > > > > > > > protected network. However, I am curious if this
> > provides
> > > > > little
> > > > > > > > > benefit and I may as
> > > > > > > > > > well simplify things by placing IAG in parallel if
it
> > > will
> > > > be
> > > > > > > > > dedicated for remote access
> > > > > > > > > > duties...
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Any chance of a hint at what MS IT do?? ;-)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Jason Jones | Security | Silversands Limited | Desk:
> +44
> > > > > (0)1202
> > > > > > > > > 360489 | Mobile: +44
> > > > > > > > > > (0)7971 500312 | Email/MSN:
> > jason.jones@xxxxxxxxxxxxxxxxx
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > Of Jim Harrison
> > > > > > > > > > Sent: 02 June 2008 14:47
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > ..pick one.
> > > > > > > > > >
> > > > > > > > > > ..no; really - there is no "boilerplate".
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > It depends on what you have for application and
> security
> > > > > > > > > requirements.
> > > > > > > > > >
> > > > > > > > > > IAG *is* ISA with some kewl stuff tossed into the
mix.
> > > > > > > > > >
> > > > > > > > > > Thus, the question of whether to place IAG or ISA at
> the
> > > > edge
> > > > > is
> > > > > > > > > equivalent to asking
> > > > > > > > > > "should I place ISA or ISA at the edge?"
> > > > > > > > > >
> > > > > > > > > > Deploying ISAG and ISA side-by-side will be
determined
> > by
> > > > the
> > > > > > > > tasking
> > > > > > > > > for each as
> > > > > > > > > > well.
> > > > > > > > > >
> > > > > > > > > > In general, using IAG for fwd traffic is; shall we
> say,
> > a
> > > > bit
> > > > > > less
> > > > > > > > > than easy.
> > > > > > > > > >
> > > > > > > > > > Likewise, trying to duplicate the functionality IAG
> > > brings
> > > > to
> > > > > > the
> > > > > > > > > application publishing
> > > > > > > > > > game is impossible.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > IOW, their relative merits in a given scenario
depend
> > > > largely
> > > > > on
> > > > > > > > what
> > > > > > > > > you want them to
> > > > > > > > > > do.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Jim
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > Of Jason Jones
> > > > > > > > > > Sent: Monday, June 02, 2008 2:34 AM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Hi All,
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > I was wondering what sort of topologies you guys had
> > used
> > > > for
> > > > > > > > > customers who were
> > > > > > > > > > looking at combined ISA Server and IAG deployments?
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > For example:
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Should ISA be the edge device with IAG in an ISA
> > > protected
> > > > > > > > perimeter
> > > > > > > > > network?
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Should ISA and IAG be placed in parallel?
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Should IAG be placed between two ISA Server edge
> > > firewalls
> > > > > (e.g.
> > > > > > > > > between front-end
> > > > > > > > > > and back-end ISAs)?
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Any feedback appreciated...
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Cheers
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > JJ
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >   ________________________________
> > > > > > > > > >
> > > > > > > > > > This email and any files transmitted with it are
> > > > confidential
> > > > > > and
> > > > > > > > > intended solely for the
> > > > > > > > > > use of the individual to whom it is addressed. If
you
> > > have
> > > > > > > received
> > > > > > > > > this email in error,
> > > > > > > > > > or if you believe this email is unsolicited and wish
> to
> > > be
> > > > > > removed
> > > > > > > > > from any future
> > > > > > > > > > mailings, please contact our Support Desk
immediately
> on
> > > > > 01202
> > > > > > > > 360360
> > > > > > > > > or email
> > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > >
> > > > > > > > > > If this email contains a quotation then unless
> otherwise
> > > > > stated
> > > > > > it
> > > > > > > > is
> > > > > > > > > valid for 7 days and
> > > > > > > > > > offered subject to Silversands Professional Services
> > > Terms
> > > > > and
> > > > > > > > > Conditions, a copy of
> > > > > > > > > > which is available on request. Any pricing
> information,
> > > > > design
> > > > > > > > > information or
> > > > > > > > > > information concerning specific Silversands' staff
> > > contained
> > > > > in
> > > > > > > > this
> > > > > > > > > email is
> > > > > > > > > > considered confidential or of commercial interest
and
> > > exempt
> > > > > > from
> > > > > > > > the
> > > > > > > > > Freedom of
> > > > > > > > > > Information Act 2000.
> > > > > > > > > >
> > > > > > > > > > Any view or opinions presented are solely those of
the
> > > > author
> > > > > > and
> > > > > > > > do
> > > > > > > > > not necessarily
> > > > > > > > > > represent those of Silversands
> > > > > > > > > >
> > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
Poole,
> > > BH17
> > > > > 7BX.
> > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > ________________________________
> > > > > > > > > >
> > > > > > > > > > This email and any files transmitted with it are
> > > > confidential
> > > > > > and
> > > > > > > > > intended solely for the
> > > > > > > > > > use of the individual to whom it is addressed. If
you
> > > have
> > > > > > > received
> > > > > > > > > this email in error,
> > > > > > > > > > or if you believe this email is unsolicited and wish
> to
> > > be
> > > > > > removed
> > > > > > > > > from any future
> > > > > > > > > > mailings, please contact our Support Desk
immediately
> on
> > > > > 01202
> > > > > > > > 360360
> > > > > > > > > or email
> > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > >
> > > > > > > > > > If this email contains a quotation then unless
> otherwise
> > > > > stated
> > > > > > it
> > > > > > > > is
> > > > > > > > > valid for 7 days and
> > > > > > > > > > offered subject to Silversands Professional Services
> > > Terms
> > > > > and
> > > > > > > > > Conditions, a copy of
> > > > > > > > > > which is available on request. Any pricing
> information,
> > > > > design
> > > > > > > > > information or
> > > > > > > > > > information concerning specific Silversands' staff
> > > contained
> > > > > in
> > > > > > > > this
> > > > > > > > > email is
> > > > > > > > > > considered confidential or of commercial interest
and
> > > exempt
> > > > > > from
> > > > > > > > the
> > > > > > > > > Freedom of
> > > > > > > > > > Information Act 2000.
> > > > > > > > > >
> > > > > > > > > > Any view or opinions presented are solely those of
the
> > > > author
> > > > > > and
> > > > > > > > do
> > > > > > > > > not necessarily
> > > > > > > > > > represent those of Silversands
> > > > > > > > > >
> > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
Poole,
> > > BH17
> > > > > 7BX.
> > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > This email and any files transmitted with it are
> > > > confidential
> > > > > > and
> > > > > > > > > intended solely for the
> > > > > > > > > > use of the individual to whom it is addressed.  If
you
> > > have
> > > > > > > > received
> > > > > > > > > this email in error,
> > > > > > > > > > or if you believe this email is unsolicited and wish
> to
> > > be
> > > > > > removed
> > > > > > > > > from any future
> > > > > > > > > > mailings, please contact our Support Desk
immediately
> on
> > > > > 01202
> > > > > > > > 360360
> > > > > > > > > or email
> > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > >
> > > > > > > > > > If this email contains a quotation then unless
> otherwise
> > > > > stated
> > > > > > it
> > > > > > > > is
> > > > > > > > > valid for 7 days and
> > > > > > > > > > offered subject to Silversands Professional Services
> > > Terms
> > > > > and
> > > > > > > > > Conditions, a copy of
> > > > > > > > > > which is available on request. Any pricing
> information,
> > > > > design
> > > > > > > > > information or
> > > > > > > > > > information concerning specific Silversands' staff
> > > contained
> > > > > in
> > > > > > > > this
> > > > > > > > > email is
> > > > > > > > > > considered confidential or of commercial interest
and
> > > exempt
> > > > > > from
> > > > > > > > the
> > > > > > > > > Freedom of
> > > > > > > > > > Information Act 2000.
> > > > > > > > > >
> > > > > > > > > > Any view or opinions presented are solely those of
the
> > > > author
> > > > > > and
> > > > > > > > do
> > > > > > > > > not necessarily
> > > > > > > > > > represent those of Silversands
> > > > > > > > > >
> > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
Poole,
> > > BH17
> > > > > 7BX.
> > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > This email and any files transmitted with it are
> > > confidential
> > > > > and
> > > > > > > > > intended solely for the use of the individual to whom
it
> > is
> > > > > > > > addressed.
> > > > > > > > > If you have received this email in error, or if you
> > believe
> > > > > this
> > > > > > > > email
> > > > > > > > > is unsolicited and wish to be removed from any future
> > > > mailings,
> > > > > > > > please
> > > > > > > > > contact our Support Desk immediately on 01202 360360
or
> > > email
> > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > >
> > > > > > > > > If this email contains a quotation then unless
otherwise
> > > > stated
> > > > > it
> > > > > > > is
> > > > > > > > > valid for 7 days and offered subject to Silversands
> > > > > Professional
> > > > > > > > > Services Terms and Conditions, a copy of which is
> > available
> > > on
> > > > > > > > request.
> > > > > > > > > Any pricing information, design information or
> information
> > > > > > > concerning
> > > > > > > > > specific Silversands' staff contained in this email is
> > > > > considered
> > > > > > > > > confidential or of commercial interest and exempt from
> the
> > > > > Freedom
> > > > > > > of
> > > > > > > > > Information Act 2000.
> > > > > > > > >
> > > > > > > > > Any view or opinions presented are solely those of the
> > > author
> > > > > and
> > > > > > do
> > > > > > > > > not necessarily represent those of Silversands
> > > > > > > > >
> > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole,
> > BH17
> > > > > 7BX.
> > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > This email and any files transmitted with it are
confidential
> > and
> > > > > intended
> > > > > > solely for the use of the individual to whom it is
addressed.
> > If
> > > > you
> > > > > have
> > > > > > received this email in error, or if you believe this email
is
> > > > > unsolicited
> > > > > > and wish to be removed from any future mailings, please
> contact
> > > our
> > > > > Support
> > > > > > Desk immediately on 01202 360360 or email
> > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > >
> > > > > > If this email contains a quotation then unless otherwise
> stated
> > > it
> > > > is
> > > > > valid
> > > > > > for 7 days and offered subject to Silversands Professional
> > > Services
> > > > > Terms
> > > > > > and Conditions, a copy of which is available on request. Any
> > > pricing
> > > > > > information, design information or information concerning
> > > specific
> > > > > > Silversands' staff contained in this email is considered
> > > > confidential
> > > > > or of
> > > > > > commercial interest and exempt from the Freedom of
Information
> > > Act
> > > > > 2000.
> > > > > >
> > > > > > Any view or opinions presented are solely those of the
author
> > and
> > > do
> > > > > not
> > > > > > necessarily represent those of Silversands
> > > > > >
> > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17
> 7BX.
> > > > > > Company Registration Number : 2141393.
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
> >
> 
> 
> 
> 
> 

• Follow-Ups:
  • [isapros] Re: ISA/IAG Topologies
    • From: Thor (Hammer of God)

Other related posts:

• » [isapros] ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies

1. Home
2. isapros
3. Archive
4. 06-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---