[isapros] Re: ISA/IAG Topologies

• From: Jim Harrison <Jim@xxxxxxxxxxxx>
• To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
• Date: Thu, 5 Jun 2008 17:59:38 -0700

Actually, I did and he was disappointed at not being able to engage you on the 
subject.
He's well-acquainted with the stories of he who calls himself
...Tim

jim

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Thursday, June 05, 2008 4:16 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA/IAG Topologies

He must have told him it was ME he was debating against ;)

t

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Thursday, June 05, 2008 12:43 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA/IAG Topologies
>
> Bummer. :(
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Jim Harrison
> > Sent: Thursday, June 05, 2008 2:40 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA/IAG Topologies
> >
> > :-(
> > Steve can't make it.
> >
> > Jim
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Thomas W Shinder
> > Sent: Thursday, June 05, 2008 12:15 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA/IAG Topologies
> >
> > I'll second that! I would be very interesting and some useful
> > conclusions could come of it.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > Of Jim Harrison
> > > Sent: Thursday, June 05, 2008 1:32 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA/IAG Topologies
> > >
> > > Will do!
> > >
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > Of Thor (Hammer of God)
> > > Sent: Thursday, June 05, 2008 11:23 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA/IAG Topologies
> > >
> > > You know, an actual "open debate" at Blackhat wouldn't really be a
> bad
> > > idea.  In fact, I think it would be quite valuable for all
> involved.
> > >
> > > Hmmm... Jim, see if Steve is open to it ;)
> > >
> > > t
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > > Sent: Wednesday, June 04, 2008 7:21 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > >
> > > > I'd like to know the same thing. How does "Direct Connect" mean
> the
> > > > "death of the DMZ". As far as I can tell, these "Direct Connect"
> > > > clients
> > > > represent yet another perimeter (DMZ) that we need to deal with
> and
> > > > manage appropriately.
> > > >
> > > >
> > > >
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- Microsoft Firewalls (ISA)
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > Of Thor (Hammer of God)
> > > > > Sent: Wednesday, June 04, 2008 9:03 AM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > >
> > > > > Same thing I was going to say.  But notice the first thing he
> says
> > > > that
> > > > > one MUST have is a DMZ (among other things).  So yes, it's
just
> a
> > > > > different way of saying the same thing.
> > > > >
> > > > > I have no idea where people get that "DMZ" calls out a
> particular
> > > > > topology -- it's just a logical concept that manifests itself
> in
> a
> > > > > physical network deployment based on the goals of the config.
> > > > > Regardless, the whole "direct connect" bit doesn't really
> apply...
> > > > but,
> > > > > what do you say?
> > > > >
> > > > > t
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > > > > Sent: Wednesday, June 04, 2008 5:49 AM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > >
> > > > > > Interesting. He goes through a very very long explanation of
> a
> > > > simple
> > > > > > concept -- that there are multiple perimeters and that each
> > > > perimeter
> > > > > > needs to be managed differently.
> > > > > >
> > > > > > Thomas W Shinder, M.D.
> > > > > > Site: www.isaserver.org
> > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > Of Stefaan Pouseele
> > > > > > > Sent: Wednesday, June 04, 2008 2:05 AM
> > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > >
> > > > > > > What about
> > > > > > >
> > > > >
> > >
> http://isc.sans.org/presentations/2006-sansatnight-notes-optimez.pdf?
> > > > > > >
> > > > > > > Stefaan
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> > > > > > > Behalf Of Jason Jones
> > > > > > > Sent: woensdag 4 juni 2008 1:17
> > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > >
> > > > > > > Does 'Direct connect' fall into a similar category as SSL
> VPN
> > > > where
> > > > > > they are
> > > > > > > really providing a "transport solution", as opposed to a
> > > > "security
> > > > > > > solution"?
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> > > > > > > Behalf Of Thomas W Shinder
> > > > > > > Sent: 04 June 2008 00:11
> > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > >
> > > > > > > Bam!!! Exactly. That is where my thinking was going in
this
> > > > > > direction.
> > > > > > I
> > > > > > > don't see how "Direct Connect" is going to solve anything
> > other
> > > > than
> > > > > > > creating a more difficult to solve problem.
> > > > > > >
> > > > > > > "I pity the foo"
> > > > > > >
> > > > > > > Thomas W Shinder, M.D.
> > > > > > > Site: www.isaserver.org
> > > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > Of Thor (Hammer of God)
> > > > > > > > Sent: Tuesday, June 03, 2008 6:03 PM
> > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > >
> > > > > > > > Of course (just saw this one ;).
> > > > > > > >
> > > > > > > > Direct Access IPSec into the network still affords full
> > stack
> > > > > > access.
> > > > > > > > And it does nothing for untrusted, anonymous access to
> > assets
> > > > that
> > > > > > > > should be configured as such.  IPv6 and IPSec will not
> > "kill"
> > > > the
> > > > > > need
> > > > > > > > for least privilege and security in depth.  I'm actually
> > quite
> > > > > > > > disappointed that I am seeing professionals let the
> > excitement
> > > > of
> > > > > > "new
> > > > > > > > technologies" override the need for and importance of
> core
> > > > > security
> > > > > > > > postulates.  Saying that the "DMZ is Dead" is foolish,
> and
> > > > nothing
> > > > > > > more
> > > > > > > > than "Oh, I have something cool to talk about at
> > conferences"
> > > > > > fodder.
> > > > > > > > Or, as Mr. T calls it, "Jibba Jabba."
> > > > > > > >
> > > > > > > > t
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > > > > > > Sent: Tuesday, June 03, 2008 9:01 AM
> > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > >
> > > > > > > > > (hee-hee)
> > > > > > > > > I'd love to get you into the discussion happing in the
> > > > product
> > > > > > > > security
> > > > > > > > > alias...
> > > > > > > > > Can I put you & Steve Riley in the same room for 10
> > minutes?
> > > > > > > > >
> > > > > > > > > Jim
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
God)
> > > > > > > > > Sent: Tuesday, June 03, 2008 8:59 AM
> > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > >
> > > > > > > > > The "DMZ" is alive and well.  Misconceptions of what a
> DMZ
> > > > is,
> > > > > or
> > > > > > > what
> > > > > > > > > the term means, or how it should be deployed and
> > maintained
> > > > does
> > > > > > not
> > > > > > > > > affect the absolute need for such a topology.  Anyone
> who
> > > > says
> > > > > > "The
> > > > > > > > DMZ
> > > > > > > > > is dead" is either foolishly hanging on to semantics,
> or
> > > they
> > > > > > simply
> > > > > > > > do
> > > > > > > > > not understand what it is for....
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > t
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > > > > > > > > Sent: Tuesday, June 03, 2008 8:21 AM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > > Hi Amy,
> > > > > > > > > >
> > > > > > > > > > You may have noticed I used the phrase " ISA
> protected
> > > > > > perimeter
> > > > > > > > > > network" as I know from bitter experience what you
> guys
> > > are
> > > > > > like
> > > > > > > > when
> > > > > > > > > I
> > > > > > > > > > mention the dreaded DMZ word! :-P
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > > > > > > > > > Sent: 03 June 2008 15:17
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > > The newb and even those that shouldn't be newb have
a
> > > > > difficult
> > > > > > > time
> > > > > > > > > > understand the basic concept of an authenticated
DMZ.
> To
> > > > most
> > > > > > DMZ
> > > > > > > > > means
> > > > > > > > > > that you stick the server out there naked. Press the
> DMZ
> > > > > button
> > > > > > > and
> > > > > > > > > > allow full access to the server. Don't bother to
> patch
> > it
> > > > > > because
> > > > > > > > > > you'll probably have to re-image it from time to
time
> > > > anyway,
> > > > > > > since
> > > > > > > > > > it's being constantly hacked upon.
> > > > > > > > > >
> > > > > > > > > > It's this attitude that causes me to say DMZ is
dead.
> > It's
> > > > old
> > > > > > > > > outdated
> > > > > > > > > > terminology that shouldn't be used anymore. ISA may
> have
> > > > the
> > > > > > > ability
> > > > > > > > > to
> > > > > > > > > > authenticate and protect servers in the DMZ but most
> > > don't.
> > > > I
> > > > > > > really
> > > > > > > > > > think that ISA needs a new term.
> > > > > > > > > >
> > > > > > > > > > thanks,
> > > > > > > > > >
> > > > > > > > > > Amy Babinchak
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Harbor Computer Services |(248) 850-8616
> > > > > > > > > >
> > > > > > > > > > Learn about the perfect storm of rebates: June 10th
> at
> > > > 9:00am
> > > > > > and
> > > > > > > > > save
> > > > > > > > > > money on your SBS 2008 upgrade.
> > > > > > > > > > Join the meeting.
> > > > > > > > > > Conference Bridge 866-500-6738  PC:  3876393
> > > > > > > > > >
> > > > > > > > > > Tech Blog
http://securesmb.harborcomputerservices.net
> > > > > > > > > > Client Blog http://smalltechnotes.blogspot.com
> > > > > > > > > > Website http://www.harborcomputerservices.net
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > > > > > > > > Sent: Tuesday, June 03, 2008 10:11 AM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > > Yo Jim,
> > > > > > > > > >
> > > > > > > > > > Now that is an interesting topic. A paper airplane
is
> > > > simple
> > > > > > > > compared
> > > > > > > > > > to
> > > > > > > > > > a B1 bomber, but I'd argue that the B1 probably
> provides
> > a
> > > > > > higher
> > > > > > > > > level
> > > > > > > > > > of security :)
> > > > > > > > > >
> > > > > > > > > > Bringing the analogy down a bit, "complexity" is
> > operator
> > > > > > > dependent.
> > > > > > > > > > Creating anonymous and authenticated access DMZs is
> > simple
> > > > for
> > > > > > us,
> > > > > > > > > but
> > > > > > > > > > complex for the ISA firewall neophyte. Does that
mean
> > the
> > > > auth
> > > > > > and
> > > > > > > > > anon
> > > > > > > > > > DMZ concept is not secure? Or is it secure for us,
> but
> > not
> > > > > > secure
> > > > > > > > for
> > > > > > > > > > nEwB?
> > > > > > > > > >
> > > > > > > > > > Just playing with the idea of "complexity is the
> enemy
> > of
> > > > > > > security".
> > > > > > > > > It
> > > > > > > > > > sounds right to me, just trying to figure out the
> > > corrolary
> > > > > > > > > arguments.
> > > > > > > > > >
> > > > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > > > Site: www.isaserver.org
> > > > > > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > Of Jim Harrison
> > > > > > > > > > > Sent: Tuesday, June 03, 2008 9:00 AM
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > >
> > > > > > > > > > > Since "better" is subjective, I'd be more inclined
> to
> > > > call
> > > > > it
> > > > > > > > > > "better-isolated".
> > > > > > > > > > > In general, any time you can functionally isolate
> > > > (whether
> > > > > > this
> > > > > > > is
> > > > > > > > > > literal isolation is
> > > > > > > > > > > another discussion) inbound and outbound traffic,
> your
> > > > > > firewall
> > > > > > > > > > policies and
> > > > > > > > > > > requirements become simplified.  It's a given that
> > since
> > > > > > > > complexity
> > > > > > > > > > increases the odds
> > > > > > > > > > > of human error, complexity must therefore be the
> enemy
> > > of
> > > > > > > > security.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > Of Jason Jones
> > > > > > > > > > > Sent: Tuesday, June 03, 2008 3:35 AM
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > >
> > > > > > > > > > > So, in this scenario, I am right to consider a
> > combined
> > > > > > solution
> > > > > > > > to
> > > > > > > > > > get a "better"
> > > > > > > > > > > security solution - yes?
> > > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > Of Jim Harrison
> > > > > > > > > > > Sent: 02 June 2008 16:43
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > >
> > > > > > > > > > > MS separates inbound and outbound arrays.
> > > > > > > > > > > You're right; IAG sux as a fwd proxy and ISA bows
> to
> > IAG
> > > > > > remote
> > > > > > > > > > client
> > > > > > > > > > trust
> > > > > > > > > > > mechanisms.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > Of Jason Jones
> > > > > > > > > > > Sent: Monday, June 02, 2008 7:16 AM
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > >
> > > > > > > > > > > As ever, I have left out the details until someone
> > > > > volunteers
> > > > > > to
> > > > > > > > > help
> > > > > > > > > > J
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > I know that IAG *is* ISA, but in the current
> solution
> > > set
> > > > > the
> > > > > > > ISA
> > > > > > > > > > "bit" doesn't scale very
> > > > > > > > > > > well if you are looking at multiple IAG units to
> > protect
> > > > a
> > > > > > data
> > > > > > > > > > centre
> > > > > > > > > > for all inbound and
> > > > > > > > > > > outbound access. In this sort of scenario, IAG
> can't
> > > > really
> > > > > > cut
> > > > > > > it
> > > > > > > > > on
> > > > > > > > > > it's own to facilitate
> > > > > > > > > > > system -to-system communications (and
authenticated
> > > > > > > > > outbound/forward
> > > > > > > > > > access) and
> > > > > > > > > > > ISA seems much more appropriate. I know ISA could
> be
> > > > > > configured
> > > > > > > to
> > > > > > > > > do
> > > > > > > > > > some of this,
> > > > > > > > > > > but having to create firewall policy rules on each
> > > > appliance
> > > > > > and
> > > > > > > > > > synchronise them
> > > > > > > > > > > across several IAG appliances doesn't seem very
> > elegant
> > > > to
> > > > > > me...
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > So assuming we are looking at an Internet
> datacentre
> > > > model
> > > > > > (e.g.
> > > > > > > > > all
> > > > > > > > > > the clients and
> > > > > > > > > > > untrusted systems are on the outside) I am
thinking
> > that
> > > > > both
> > > > > > > IAG
> > > > > > > > > and
> > > > > > > > > > ISA would be
> > > > > > > > > > > needed to provide an elegant solution - yes?
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > In this model, it seemed to make sense to put ISA
> on
> > the
> > > > > edge
> > > > > > as
> > > > > > > > it
> > > > > > > > > > can provide LB/HA
> > > > > > > > > > > out of the box (with NLB), whereas IAG cannot. ISA
> can
> > > > then
> > > > > > be
> > > > > > > > used
> > > > > > > > > > for "protection"
> > > > > > > > > > > and IPSec VPN with IAG added for more advanced
> > > publishing
> > > > > > > > > > with/without
> > > > > > > > > > endpoint
> > > > > > > > > > > checking as required.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > In the above model, I am leaning towards putting
> the
> > > > > external
> > > > > > > > > > interface of IAG into an
> > > > > > > > > > > ISA anonymous access DMZ, with both devices
> connected
> > > > > > directly
> > > > > > > to
> > > > > > > > > the
> > > > > > > > > > internal
> > > > > > > > > > > protected network. However, I am curious if this
> > > provides
> > > > > > little
> > > > > > > > > > benefit and I may as
> > > > > > > > > > > well simplify things by placing IAG in parallel if
> it
> > > > will
> > > > > be
> > > > > > > > > > dedicated for remote access
> > > > > > > > > > > duties...
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Any chance of a hint at what MS IT do?? ;-)
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Jason Jones | Security | Silversands Limited |
> Desk:
> > +44
> > > > > > (0)1202
> > > > > > > > > > 360489 | Mobile: +44
> > > > > > > > > > > (0)7971 500312 | Email/MSN:
> > > jason.jones@xxxxxxxxxxxxxxxxx
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > Of Jim Harrison
> > > > > > > > > > > Sent: 02 June 2008 14:47
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > ..pick one.
> > > > > > > > > > >
> > > > > > > > > > > ..no; really - there is no "boilerplate".
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > It depends on what you have for application and
> > security
> > > > > > > > > > requirements.
> > > > > > > > > > >
> > > > > > > > > > > IAG *is* ISA with some kewl stuff tossed into the
> mix.
> > > > > > > > > > >
> > > > > > > > > > > Thus, the question of whether to place IAG or ISA
> at
> > the
> > > > > edge
> > > > > > is
> > > > > > > > > > equivalent to asking
> > > > > > > > > > > "should I place ISA or ISA at the edge?"
> > > > > > > > > > >
> > > > > > > > > > > Deploying ISAG and ISA side-by-side will be
> determined
> > > by
> > > > > the
> > > > > > > > > tasking
> > > > > > > > > > for each as
> > > > > > > > > > > well.
> > > > > > > > > > >
> > > > > > > > > > > In general, using IAG for fwd traffic is; shall we
> > say,
> > > a
> > > > > bit
> > > > > > > less
> > > > > > > > > > than easy.
> > > > > > > > > > >
> > > > > > > > > > > Likewise, trying to duplicate the functionality
IAG
> > > > brings
> > > > > to
> > > > > > > the
> > > > > > > > > > application publishing
> > > > > > > > > > > game is impossible.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > IOW, their relative merits in a given scenario
> depend
> > > > > largely
> > > > > > on
> > > > > > > > > what
> > > > > > > > > > you want them to
> > > > > > > > > > > do.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Jim
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > Of Jason Jones
> > > > > > > > > > > Sent: Monday, June 02, 2008 2:34 AM
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] ISA/IAG Topologies
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Hi All,
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > I was wondering what sort of topologies you guys
> had
> > > used
> > > > > for
> > > > > > > > > > customers who were
> > > > > > > > > > > looking at combined ISA Server and IAG
deployments?
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > For example:
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Should ISA be the edge device with IAG in an ISA
> > > > protected
> > > > > > > > > perimeter
> > > > > > > > > > network?
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Should ISA and IAG be placed in parallel?
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Should IAG be placed between two ISA Server edge
> > > > firewalls
> > > > > > (e.g.
> > > > > > > > > > between front-end
> > > > > > > > > > > and back-end ISAs)?
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Any feedback appreciated...
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Cheers
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > JJ
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >   ________________________________
> > > > > > > > > > >
> > > > > > > > > > > This email and any files transmitted with it are
> > > > > confidential
> > > > > > > and
> > > > > > > > > > intended solely for the
> > > > > > > > > > > use of the individual to whom it is addressed. If
> you
> > > > have
> > > > > > > > received
> > > > > > > > > > this email in error,
> > > > > > > > > > > or if you believe this email is unsolicited and
> wish
> > to
> > > > be
> > > > > > > removed
> > > > > > > > > > from any future
> > > > > > > > > > > mailings, please contact our Support Desk
> immediately
> > on
> > > > > > 01202
> > > > > > > > > 360360
> > > > > > > > > > or email
> > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > > >
> > > > > > > > > > > If this email contains a quotation then unless
> > otherwise
> > > > > > stated
> > > > > > > it
> > > > > > > > > is
> > > > > > > > > > valid for 7 days and
> > > > > > > > > > > offered subject to Silversands Professional
> Services
> > > > Terms
> > > > > > and
> > > > > > > > > > Conditions, a copy of
> > > > > > > > > > > which is available on request. Any pricing
> > information,
> > > > > > design
> > > > > > > > > > information or
> > > > > > > > > > > information concerning specific Silversands' staff
> > > > contained
> > > > > > in
> > > > > > > > > this
> > > > > > > > > > email is
> > > > > > > > > > > considered confidential or of commercial interest
> and
> > > > exempt
> > > > > > > from
> > > > > > > > > the
> > > > > > > > > > Freedom of
> > > > > > > > > > > Information Act 2000.
> > > > > > > > > > >
> > > > > > > > > > > Any view or opinions presented are solely those of
> the
> > > > > author
> > > > > > > and
> > > > > > > > > do
> > > > > > > > > > not necessarily
> > > > > > > > > > > represent those of Silversands
> > > > > > > > > > >
> > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
> Poole,
> > > > BH17
> > > > > > 7BX.
> > > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > ________________________________
> > > > > > > > > > >
> > > > > > > > > > > This email and any files transmitted with it are
> > > > > confidential
> > > > > > > and
> > > > > > > > > > intended solely for the
> > > > > > > > > > > use of the individual to whom it is addressed. If
> you
> > > > have
> > > > > > > > received
> > > > > > > > > > this email in error,
> > > > > > > > > > > or if you believe this email is unsolicited and
> wish
> > to
> > > > be
> > > > > > > removed
> > > > > > > > > > from any future
> > > > > > > > > > > mailings, please contact our Support Desk
> immediately
> > on
> > > > > > 01202
> > > > > > > > > 360360
> > > > > > > > > > or email
> > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > > >
> > > > > > > > > > > If this email contains a quotation then unless
> > otherwise
> > > > > > stated
> > > > > > > it
> > > > > > > > > is
> > > > > > > > > > valid for 7 days and
> > > > > > > > > > > offered subject to Silversands Professional
> Services
> > > > Terms
> > > > > > and
> > > > > > > > > > Conditions, a copy of
> > > > > > > > > > > which is available on request. Any pricing
> > information,
> > > > > > design
> > > > > > > > > > information or
> > > > > > > > > > > information concerning specific Silversands' staff
> > > > contained
> > > > > > in
> > > > > > > > > this
> > > > > > > > > > email is
> > > > > > > > > > > considered confidential or of commercial interest
> and
> > > > exempt
> > > > > > > from
> > > > > > > > > the
> > > > > > > > > > Freedom of
> > > > > > > > > > > Information Act 2000.
> > > > > > > > > > >
> > > > > > > > > > > Any view or opinions presented are solely those of
> the
> > > > > author
> > > > > > > and
> > > > > > > > > do
> > > > > > > > > > not necessarily
> > > > > > > > > > > represent those of Silversands
> > > > > > > > > > >
> > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
> Poole,
> > > > BH17
> > > > > > 7BX.
> > > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > This email and any files transmitted with it are
> > > > > confidential
> > > > > > > and
> > > > > > > > > > intended solely for the
> > > > > > > > > > > use of the individual to whom it is addressed.  If
> you
> > > > have
> > > > > > > > > received
> > > > > > > > > > this email in error,
> > > > > > > > > > > or if you believe this email is unsolicited and
> wish
> > to
> > > > be
> > > > > > > removed
> > > > > > > > > > from any future
> > > > > > > > > > > mailings, please contact our Support Desk
> immediately
> > on
> > > > > > 01202
> > > > > > > > > 360360
> > > > > > > > > > or email
> > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > > >
> > > > > > > > > > > If this email contains a quotation then unless
> > otherwise
> > > > > > stated
> > > > > > > it
> > > > > > > > > is
> > > > > > > > > > valid for 7 days and
> > > > > > > > > > > offered subject to Silversands Professional
> Services
> > > > Terms
> > > > > > and
> > > > > > > > > > Conditions, a copy of
> > > > > > > > > > > which is available on request. Any pricing
> > information,
> > > > > > design
> > > > > > > > > > information or
> > > > > > > > > > > information concerning specific Silversands' staff
> > > > contained
> > > > > > in
> > > > > > > > > this
> > > > > > > > > > email is
> > > > > > > > > > > considered confidential or of commercial interest
> and
> > > > exempt
> > > > > > > from
> > > > > > > > > the
> > > > > > > > > > Freedom of
> > > > > > > > > > > Information Act 2000.
> > > > > > > > > > >
> > > > > > > > > > > Any view or opinions presented are solely those of
> the
> > > > > author
> > > > > > > and
> > > > > > > > > do
> > > > > > > > > > not necessarily
> > > > > > > > > > > represent those of Silversands
> > > > > > > > > > >
> > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
> Poole,
> > > > BH17
> > > > > > 7BX.
> > > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > This email and any files transmitted with it are
> > > > confidential
> > > > > > and
> > > > > > > > > > intended solely for the use of the individual to
whom
> it
> > > is
> > > > > > > > > addressed.
> > > > > > > > > > If you have received this email in error, or if you
> > > believe
> > > > > > this
> > > > > > > > > email
> > > > > > > > > > is unsolicited and wish to be removed from any
future
> > > > > mailings,
> > > > > > > > > please
> > > > > > > > > > contact our Support Desk immediately on 01202 360360
> or
> > > > email
> > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > >
> > > > > > > > > > If this email contains a quotation then unless
> otherwise
> > > > > stated
> > > > > > it
> > > > > > > > is
> > > > > > > > > > valid for 7 days and offered subject to Silversands
> > > > > > Professional
> > > > > > > > > > Services Terms and Conditions, a copy of which is
> > > available
> > > > on
> > > > > > > > > request.
> > > > > > > > > > Any pricing information, design information or
> > information
> > > > > > > > concerning
> > > > > > > > > > specific Silversands' staff contained in this email
> is
> > > > > > considered
> > > > > > > > > > confidential or of commercial interest and exempt
> from
> > the
> > > > > > Freedom
> > > > > > > > of
> > > > > > > > > > Information Act 2000.
> > > > > > > > > >
> > > > > > > > > > Any view or opinions presented are solely those of
> the
> > > > author
> > > > > > and
> > > > > > > do
> > > > > > > > > > not necessarily represent those of Silversands
> > > > > > > > > >
> > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
> Poole,
> > > BH17
> > > > > > 7BX.
> > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > This email and any files transmitted with it are
> confidential
> > > and
> > > > > > intended
> > > > > > > solely for the use of the individual to whom it is
> addressed.
> > > If
> > > > > you
> > > > > > have
> > > > > > > received this email in error, or if you believe this email
> is
> > > > > > unsolicited
> > > > > > > and wish to be removed from any future mailings, please
> > contact
> > > > our
> > > > > > Support
> > > > > > > Desk immediately on 01202 360360 or email
> > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > >
> > > > > > > If this email contains a quotation then unless otherwise
> > stated
> > > > it
> > > > > is
> > > > > > valid
> > > > > > > for 7 days and offered subject to Silversands Professional
> > > > Services
> > > > > > Terms
> > > > > > > and Conditions, a copy of which is available on request.
> Any
> > > > pricing
> > > > > > > information, design information or information concerning
> > > > specific
> > > > > > > Silversands' staff contained in this email is considered
> > > > > confidential
> > > > > > or of
> > > > > > > commercial interest and exempt from the Freedom of
> Information
> > > > Act
> > > > > > 2000.
> > > > > > >
> > > > > > > Any view or opinions presented are solely those of the
> author
> > > and
> > > > do
> > > > > > not
> > > > > > > necessarily represent those of Silversands
> > > > > > >
> > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole,
BH17
> > 7BX.
> > > > > > > Company Registration Number : 2141393.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
>
>

• Follow-Ups:
  • [isapros] Re: ISA/IAG Topologies
    • From: Thor (Hammer of God)

• References:
  • [isapros] Re: ISA/IAG Topologies
    • From: Thomas W Shinder
  • [isapros] Re: ISA/IAG Topologies
    • From: Thor (Hammer of God)

Other related posts:

• » [isapros] ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies

1. Home
2. isapros
3. Archive
4. 06-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---