Actually, I did and he was disappointed at not being able to engage you on the subject. He's well-acquainted with the stories of he who calls himself ...Tim jim -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Thursday, June 05, 2008 4:16 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA/IAG Topologies He must have told him it was ME he was debating against ;) t > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Thursday, June 05, 2008 12:43 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA/IAG Topologies > > Bummer. :( > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > Of Jim Harrison > > Sent: Thursday, June 05, 2008 2:40 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA/IAG Topologies > > > > :-( > > Steve can't make it. > > > > Jim > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > Of Thomas W Shinder > > Sent: Thursday, June 05, 2008 12:15 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA/IAG Topologies > > > > I'll second that! I would be very interesting and some useful > > conclusions could come of it. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > Of Jim Harrison > > > Sent: Thursday, June 05, 2008 1:32 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > Will do! > > > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > Of Thor (Hammer of God) > > > Sent: Thursday, June 05, 2008 11:23 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > You know, an actual "open debate" at Blackhat wouldn't really be a > bad > > > idea. In fact, I think it would be quite valuable for all > involved. > > > > > > Hmmm... Jim, see if Steve is open to it ;) > > > > > > t > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > > > Sent: Wednesday, June 04, 2008 7:21 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > I'd like to know the same thing. How does "Direct Connect" mean > the > > > > "death of the DMZ". As far as I can tell, these "Direct Connect" > > > > clients > > > > represent yet another perimeter (DMZ) that we need to deal with > and > > > > manage appropriately. > > > > > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > Site: www.isaserver.org > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > Book: http://tinyurl.com/3xqb7 > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > Of Thor (Hammer of God) > > > > > Sent: Wednesday, June 04, 2008 9:03 AM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > Same thing I was going to say. But notice the first thing he > says > > > > that > > > > > one MUST have is a DMZ (among other things). So yes, it's just > a > > > > > different way of saying the same thing. > > > > > > > > > > I have no idea where people get that "DMZ" calls out a > particular > > > > > topology -- it's just a logical concept that manifests itself > in > a > > > > > physical network deployment based on the goals of the config. > > > > > Regardless, the whole "direct connect" bit doesn't really > apply... > > > > but, > > > > > what do you say? > > > > > > > > > > t > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > > > > > Sent: Wednesday, June 04, 2008 5:49 AM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > Interesting. He goes through a very very long explanation of > a > > > > simple > > > > > > concept -- that there are multiple perimeters and that each > > > > perimeter > > > > > > needs to be managed differently. > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > > > Site: www.isaserver.org > > > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > > > Book: http://tinyurl.com/3xqb7 > > > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > > > Of Stefaan Pouseele > > > > > > > Sent: Wednesday, June 04, 2008 2:05 AM > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > What about > > > > > > > > > > > > > > > > http://isc.sans.org/presentations/2006-sansatnight-notes-optimez.pdf? > > > > > > > > > > > > > > Stefaan > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > > > > > > Behalf Of Jason Jones > > > > > > > Sent: woensdag 4 juni 2008 1:17 > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > Does 'Direct connect' fall into a similar category as SSL > VPN > > > > where > > > > > > they are > > > > > > > really providing a "transport solution", as opposed to a > > > > "security > > > > > > > solution"? > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > > > > > > Behalf Of Thomas W Shinder > > > > > > > Sent: 04 June 2008 00:11 > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > Bam!!! Exactly. That is where my thinking was going in this > > > > > > direction. > > > > > > I > > > > > > > don't see how "Direct Connect" is going to solve anything > > other > > > > than > > > > > > > creating a more difficult to solve problem. > > > > > > > > > > > > > > "I pity the foo" > > > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > > > > Site: www.isaserver.org > > > > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > > > > Book: http://tinyurl.com/3xqb7 > > > > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > > > > Of Thor (Hammer of God) > > > > > > > > Sent: Tuesday, June 03, 2008 6:03 PM > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > > > Of course (just saw this one ;). > > > > > > > > > > > > > > > > Direct Access IPSec into the network still affords full > > stack > > > > > > access. > > > > > > > > And it does nothing for untrusted, anonymous access to > > assets > > > > that > > > > > > > > should be configured as such. IPv6 and IPSec will not > > "kill" > > > > the > > > > > > need > > > > > > > > for least privilege and security in depth. I'm actually > > quite > > > > > > > > disappointed that I am seeing professionals let the > > excitement > > > > of > > > > > > "new > > > > > > > > technologies" override the need for and importance of > core > > > > > security > > > > > > > > postulates. Saying that the "DMZ is Dead" is foolish, > and > > > > nothing > > > > > > > more > > > > > > > > than "Oh, I have something cool to talk about at > > conferences" > > > > > > fodder. > > > > > > > > Or, as Mr. T calls it, "Jibba Jabba." > > > > > > > > > > > > > > > > t > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > > > > > > Sent: Tuesday, June 03, 2008 9:01 AM > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > > > > > (hee-hee) > > > > > > > > > I'd love to get you into the discussion happing in the > > > > product > > > > > > > > security > > > > > > > > > alias... > > > > > > > > > Can I put you & Steve Riley in the same room for 10 > > minutes? > > > > > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > > > > > > > > > Sent: Tuesday, June 03, 2008 8:59 AM > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > > > > > The "DMZ" is alive and well. Misconceptions of what a > DMZ > > > > is, > > > > > or > > > > > > > what > > > > > > > > > the term means, or how it should be deployed and > > maintained > > > > does > > > > > > not > > > > > > > > > affect the absolute need for such a topology. Anyone > who > > > > says > > > > > > "The > > > > > > > > DMZ > > > > > > > > > is dead" is either foolishly hanging on to semantics, > or > > > they > > > > > > simply > > > > > > > > do > > > > > > > > > not understand what it is for.... > > > > > > > > > > > > > > > > > > > > > > > > > > > t > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > > > > > > > > Sent: Tuesday, June 03, 2008 8:21 AM > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > > > > > > > Hi Amy, > > > > > > > > > > > > > > > > > > > > You may have noticed I used the phrase " ISA > protected > > > > > > perimeter > > > > > > > > > > network" as I know from bitter experience what you > guys > > > are > > > > > > like > > > > > > > > when > > > > > > > > > I > > > > > > > > > > mention the dreaded DMZ word! :-P > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > > > > > > > > > > Sent: 03 June 2008 15:17 > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > > > > > > > The newb and even those that shouldn't be newb have a > > > > > difficult > > > > > > > time > > > > > > > > > > understand the basic concept of an authenticated DMZ. > To > > > > most > > > > > > DMZ > > > > > > > > > means > > > > > > > > > > that you stick the server out there naked. Press the > DMZ > > > > > button > > > > > > > and > > > > > > > > > > allow full access to the server. Don't bother to > patch > > it > > > > > > because > > > > > > > > > > you'll probably have to re-image it from time to time > > > > anyway, > > > > > > > since > > > > > > > > > > it's being constantly hacked upon. > > > > > > > > > > > > > > > > > > > > It's this attitude that causes me to say DMZ is dead. > > It's > > > > old > > > > > > > > > outdated > > > > > > > > > > terminology that shouldn't be used anymore. ISA may > have > > > > the > > > > > > > ability > > > > > > > > > to > > > > > > > > > > authenticate and protect servers in the DMZ but most > > > don't. > > > > I > > > > > > > really > > > > > > > > > > think that ISA needs a new term. > > > > > > > > > > > > > > > > > > > > thanks, > > > > > > > > > > > > > > > > > > > > Amy Babinchak > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Harbor Computer Services |(248) 850-8616 > > > > > > > > > > > > > > > > > > > > Learn about the perfect storm of rebates: June 10th > at > > > > 9:00am > > > > > > and > > > > > > > > > save > > > > > > > > > > money on your SBS 2008 upgrade. > > > > > > > > > > Join the meeting. > > > > > > > > > > Conference Bridge 866-500-6738 PC: 3876393 > > > > > > > > > > > > > > > > > > > > Tech Blog http://securesmb.harborcomputerservices.net > > > > > > > > > > Client Blog http://smalltechnotes.blogspot.com > > > > > > > > > > Website http://www.harborcomputerservices.net > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > > > > > > > > > Sent: Tuesday, June 03, 2008 10:11 AM > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > > > > > > > Yo Jim, > > > > > > > > > > > > > > > > > > > > Now that is an interesting topic. A paper airplane is > > > > simple > > > > > > > > compared > > > > > > > > > > to > > > > > > > > > > a B1 bomber, but I'd argue that the B1 probably > provides > > a > > > > > > higher > > > > > > > > > level > > > > > > > > > > of security :) > > > > > > > > > > > > > > > > > > > > Bringing the analogy down a bit, "complexity" is > > operator > > > > > > > dependent. > > > > > > > > > > Creating anonymous and authenticated access DMZs is > > simple > > > > for > > > > > > us, > > > > > > > > > but > > > > > > > > > > complex for the ISA firewall neophyte. Does that mean > > the > > > > auth > > > > > > and > > > > > > > > > anon > > > > > > > > > > DMZ concept is not secure? Or is it secure for us, > but > > not > > > > > > secure > > > > > > > > for > > > > > > > > > > nEwB? > > > > > > > > > > > > > > > > > > > > Just playing with the idea of "complexity is the > enemy > > of > > > > > > > security". > > > > > > > > > It > > > > > > > > > > sounds right to me, just trying to figure out the > > > corrolary > > > > > > > > > arguments. > > > > > > > > > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > > > > > > > Site: www.isaserver.org > > > > > > > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > > > > > > > Book: http://tinyurl.com/3xqb7 > > > > > > > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > > > > > > > Of Jim Harrison > > > > > > > > > > > Sent: Tuesday, June 03, 2008 9:00 AM > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > > > > > > > > > Since "better" is subjective, I'd be more inclined > to > > > > call > > > > > it > > > > > > > > > > "better-isolated". > > > > > > > > > > > In general, any time you can functionally isolate > > > > (whether > > > > > > this > > > > > > > is > > > > > > > > > > literal isolation is > > > > > > > > > > > another discussion) inbound and outbound traffic, > your > > > > > > firewall > > > > > > > > > > policies and > > > > > > > > > > > requirements become simplified. It's a given that > > since > > > > > > > > complexity > > > > > > > > > > increases the odds > > > > > > > > > > > of human error, complexity must therefore be the > enemy > > > of > > > > > > > > security. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > > > > > > > Of Jason Jones > > > > > > > > > > > Sent: Tuesday, June 03, 2008 3:35 AM > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > > > > > > > > > So, in this scenario, I am right to consider a > > combined > > > > > > solution > > > > > > > > to > > > > > > > > > > get a "better" > > > > > > > > > > > security solution - yes? > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > > > > > > > Of Jim Harrison > > > > > > > > > > > Sent: 02 June 2008 16:43 > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > > > > > > > > > MS separates inbound and outbound arrays. > > > > > > > > > > > You're right; IAG sux as a fwd proxy and ISA bows > to > > IAG > > > > > > remote > > > > > > > > > > client > > > > > > > > > > trust > > > > > > > > > > > mechanisms. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > > > > > > > Of Jason Jones > > > > > > > > > > > Sent: Monday, June 02, 2008 7:16 AM > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > > > > > > > > > As ever, I have left out the details until someone > > > > > volunteers > > > > > > to > > > > > > > > > help > > > > > > > > > > J > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I know that IAG *is* ISA, but in the current > solution > > > set > > > > > the > > > > > > > ISA > > > > > > > > > > "bit" doesn't scale very > > > > > > > > > > > well if you are looking at multiple IAG units to > > protect > > > > a > > > > > > data > > > > > > > > > > centre > > > > > > > > > > for all inbound and > > > > > > > > > > > outbound access. In this sort of scenario, IAG > can't > > > > really > > > > > > cut > > > > > > > it > > > > > > > > > on > > > > > > > > > > it's own to facilitate > > > > > > > > > > > system -to-system communications (and authenticated > > > > > > > > > outbound/forward > > > > > > > > > > access) and > > > > > > > > > > > ISA seems much more appropriate. I know ISA could > be > > > > > > configured > > > > > > > to > > > > > > > > > do > > > > > > > > > > some of this, > > > > > > > > > > > but having to create firewall policy rules on each > > > > appliance > > > > > > and > > > > > > > > > > synchronise them > > > > > > > > > > > across several IAG appliances doesn't seem very > > elegant > > > > to > > > > > > me... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > So assuming we are looking at an Internet > datacentre > > > > model > > > > > > (e.g. > > > > > > > > > all > > > > > > > > > > the clients and > > > > > > > > > > > untrusted systems are on the outside) I am thinking > > that > > > > > both > > > > > > > IAG > > > > > > > > > and > > > > > > > > > > ISA would be > > > > > > > > > > > needed to provide an elegant solution - yes? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > In this model, it seemed to make sense to put ISA > on > > the > > > > > edge > > > > > > as > > > > > > > > it > > > > > > > > > > can provide LB/HA > > > > > > > > > > > out of the box (with NLB), whereas IAG cannot. ISA > can > > > > then > > > > > > be > > > > > > > > used > > > > > > > > > > for "protection" > > > > > > > > > > > and IPSec VPN with IAG added for more advanced > > > publishing > > > > > > > > > > with/without > > > > > > > > > > endpoint > > > > > > > > > > > checking as required. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > In the above model, I am leaning towards putting > the > > > > > external > > > > > > > > > > interface of IAG into an > > > > > > > > > > > ISA anonymous access DMZ, with both devices > connected > > > > > > directly > > > > > > > to > > > > > > > > > the > > > > > > > > > > internal > > > > > > > > > > > protected network. However, I am curious if this > > > provides > > > > > > little > > > > > > > > > > benefit and I may as > > > > > > > > > > > well simplify things by placing IAG in parallel if > it > > > > will > > > > > be > > > > > > > > > > dedicated for remote access > > > > > > > > > > > duties... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any chance of a hint at what MS IT do?? ;-) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Jason Jones | Security | Silversands Limited | > Desk: > > +44 > > > > > > (0)1202 > > > > > > > > > > 360489 | Mobile: +44 > > > > > > > > > > > (0)7971 500312 | Email/MSN: > > > jason.jones@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > > > > > > > Of Jim Harrison > > > > > > > > > > > Sent: 02 June 2008 14:47 > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ..pick one. > > > > > > > > > > > > > > > > > > > > > > ..no; really - there is no "boilerplate". > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > It depends on what you have for application and > > security > > > > > > > > > > requirements. > > > > > > > > > > > > > > > > > > > > > > IAG *is* ISA with some kewl stuff tossed into the > mix. > > > > > > > > > > > > > > > > > > > > > > Thus, the question of whether to place IAG or ISA > at > > the > > > > > edge > > > > > > is > > > > > > > > > > equivalent to asking > > > > > > > > > > > "should I place ISA or ISA at the edge?" > > > > > > > > > > > > > > > > > > > > > > Deploying ISAG and ISA side-by-side will be > determined > > > by > > > > > the > > > > > > > > > tasking > > > > > > > > > > for each as > > > > > > > > > > > well. > > > > > > > > > > > > > > > > > > > > > > In general, using IAG for fwd traffic is; shall we > > say, > > > a > > > > > bit > > > > > > > less > > > > > > > > > > than easy. > > > > > > > > > > > > > > > > > > > > > > Likewise, trying to duplicate the functionality IAG > > > > brings > > > > > to > > > > > > > the > > > > > > > > > > application publishing > > > > > > > > > > > game is impossible. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > IOW, their relative merits in a given scenario > depend > > > > > largely > > > > > > on > > > > > > > > > what > > > > > > > > > > you want them to > > > > > > > > > > > do. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > > > > > > > Of Jason Jones > > > > > > > > > > > Sent: Monday, June 02, 2008 2:34 AM > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > Subject: [isapros] ISA/IAG Topologies > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I was wondering what sort of topologies you guys > had > > > used > > > > > for > > > > > > > > > > customers who were > > > > > > > > > > > looking at combined ISA Server and IAG deployments? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > For example: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Should ISA be the edge device with IAG in an ISA > > > > protected > > > > > > > > > perimeter > > > > > > > > > > network? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Should ISA and IAG be placed in parallel? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Should IAG be placed between two ISA Server edge > > > > firewalls > > > > > > (e.g. > > > > > > > > > > between front-end > > > > > > > > > > > and back-end ISAs)? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any feedback appreciated... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cheers > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > JJ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are > > > > > confidential > > > > > > > and > > > > > > > > > > intended solely for the > > > > > > > > > > > use of the individual to whom it is addressed. If > you > > > > have > > > > > > > > received > > > > > > > > > > this email in error, > > > > > > > > > > > or if you believe this email is unsolicited and > wish > > to > > > > be > > > > > > > removed > > > > > > > > > > from any future > > > > > > > > > > > mailings, please contact our Support Desk > immediately > > on > > > > > > 01202 > > > > > > > > > 360360 > > > > > > > > > > or email > > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > > > > > > > > > > > If this email contains a quotation then unless > > otherwise > > > > > > stated > > > > > > > it > > > > > > > > > is > > > > > > > > > > valid for 7 days and > > > > > > > > > > > offered subject to Silversands Professional > Services > > > > Terms > > > > > > and > > > > > > > > > > Conditions, a copy of > > > > > > > > > > > which is available on request. Any pricing > > information, > > > > > > design > > > > > > > > > > information or > > > > > > > > > > > information concerning specific Silversands' staff > > > > contained > > > > > > in > > > > > > > > > this > > > > > > > > > > email is > > > > > > > > > > > considered confidential or of commercial interest > and > > > > exempt > > > > > > > from > > > > > > > > > the > > > > > > > > > > Freedom of > > > > > > > > > > > Information Act 2000. > > > > > > > > > > > > > > > > > > > > > > Any view or opinions presented are solely those of > the > > > > > author > > > > > > > and > > > > > > > > > do > > > > > > > > > > not necessarily > > > > > > > > > > > represent those of Silversands > > > > > > > > > > > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, > Poole, > > > > BH17 > > > > > > 7BX. > > > > > > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are > > > > > confidential > > > > > > > and > > > > > > > > > > intended solely for the > > > > > > > > > > > use of the individual to whom it is addressed. If > you > > > > have > > > > > > > > received > > > > > > > > > > this email in error, > > > > > > > > > > > or if you believe this email is unsolicited and > wish > > to > > > > be > > > > > > > removed > > > > > > > > > > from any future > > > > > > > > > > > mailings, please contact our Support Desk > immediately > > on > > > > > > 01202 > > > > > > > > > 360360 > > > > > > > > > > or email > > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > > > > > > > > > > > If this email contains a quotation then unless > > otherwise > > > > > > stated > > > > > > > it > > > > > > > > > is > > > > > > > > > > valid for 7 days and > > > > > > > > > > > offered subject to Silversands Professional > Services > > > > Terms > > > > > > and > > > > > > > > > > Conditions, a copy of > > > > > > > > > > > which is available on request. Any pricing > > information, > > > > > > design > > > > > > > > > > information or > > > > > > > > > > > information concerning specific Silversands' staff > > > > contained > > > > > > in > > > > > > > > > this > > > > > > > > > > email is > > > > > > > > > > > considered confidential or of commercial interest > and > > > > exempt > > > > > > > from > > > > > > > > > the > > > > > > > > > > Freedom of > > > > > > > > > > > Information Act 2000. > > > > > > > > > > > > > > > > > > > > > > Any view or opinions presented are solely those of > the > > > > > author > > > > > > > and > > > > > > > > > do > > > > > > > > > > not necessarily > > > > > > > > > > > represent those of Silversands > > > > > > > > > > > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, > Poole, > > > > BH17 > > > > > > 7BX. > > > > > > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are > > > > > confidential > > > > > > > and > > > > > > > > > > intended solely for the > > > > > > > > > > > use of the individual to whom it is addressed. If > you > > > > have > > > > > > > > > received > > > > > > > > > > this email in error, > > > > > > > > > > > or if you believe this email is unsolicited and > wish > > to > > > > be > > > > > > > removed > > > > > > > > > > from any future > > > > > > > > > > > mailings, please contact our Support Desk > immediately > > on > > > > > > 01202 > > > > > > > > > 360360 > > > > > > > > > > or email > > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > > > > > > > > > > > If this email contains a quotation then unless > > otherwise > > > > > > stated > > > > > > > it > > > > > > > > > is > > > > > > > > > > valid for 7 days and > > > > > > > > > > > offered subject to Silversands Professional > Services > > > > Terms > > > > > > and > > > > > > > > > > Conditions, a copy of > > > > > > > > > > > which is available on request. Any pricing > > information, > > > > > > design > > > > > > > > > > information or > > > > > > > > > > > information concerning specific Silversands' staff > > > > contained > > > > > > in > > > > > > > > > this > > > > > > > > > > email is > > > > > > > > > > > considered confidential or of commercial interest > and > > > > exempt > > > > > > > from > > > > > > > > > the > > > > > > > > > > Freedom of > > > > > > > > > > > Information Act 2000. > > > > > > > > > > > > > > > > > > > > > > Any view or opinions presented are solely those of > the > > > > > author > > > > > > > and > > > > > > > > > do > > > > > > > > > > not necessarily > > > > > > > > > > > represent those of Silversands > > > > > > > > > > > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, > Poole, > > > > BH17 > > > > > > 7BX. > > > > > > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are > > > > confidential > > > > > > and > > > > > > > > > > intended solely for the use of the individual to whom > it > > > is > > > > > > > > > addressed. > > > > > > > > > > If you have received this email in error, or if you > > > believe > > > > > > this > > > > > > > > > email > > > > > > > > > > is unsolicited and wish to be removed from any future > > > > > mailings, > > > > > > > > > please > > > > > > > > > > contact our Support Desk immediately on 01202 360360 > or > > > > email > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > > > > > > > > > If this email contains a quotation then unless > otherwise > > > > > stated > > > > > > it > > > > > > > > is > > > > > > > > > > valid for 7 days and offered subject to Silversands > > > > > > Professional > > > > > > > > > > Services Terms and Conditions, a copy of which is > > > available > > > > on > > > > > > > > > request. > > > > > > > > > > Any pricing information, design information or > > information > > > > > > > > concerning > > > > > > > > > > specific Silversands' staff contained in this email > is > > > > > > considered > > > > > > > > > > confidential or of commercial interest and exempt > from > > the > > > > > > Freedom > > > > > > > > of > > > > > > > > > > Information Act 2000. > > > > > > > > > > > > > > > > > > > > Any view or opinions presented are solely those of > the > > > > author > > > > > > and > > > > > > > do > > > > > > > > > > not necessarily represent those of Silversands > > > > > > > > > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, > Poole, > > > BH17 > > > > > > 7BX. > > > > > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are > confidential > > > and > > > > > > intended > > > > > > > solely for the use of the individual to whom it is > addressed. > > > If > > > > > you > > > > > > have > > > > > > > received this email in error, or if you believe this email > is > > > > > > unsolicited > > > > > > > and wish to be removed from any future mailings, please > > contact > > > > our > > > > > > Support > > > > > > > Desk immediately on 01202 360360 or email > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > > > If this email contains a quotation then unless otherwise > > stated > > > > it > > > > > is > > > > > > valid > > > > > > > for 7 days and offered subject to Silversands Professional > > > > Services > > > > > > Terms > > > > > > > and Conditions, a copy of which is available on request. > Any > > > > pricing > > > > > > > information, design information or information concerning > > > > specific > > > > > > > Silversands' staff contained in this email is considered > > > > > confidential > > > > > > or of > > > > > > > commercial interest and exempt from the Freedom of > Information > > > > Act > > > > > > 2000. > > > > > > > > > > > > > > Any view or opinions presented are solely those of the > author > > > and > > > > do > > > > > > not > > > > > > > necessarily represent those of Silversands > > > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 > > 7BX. > > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >