[isapros] Re: ISA/IAG Topologies

  • From: Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>
  • To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
  • Date: Tue, 3 Jun 2008 11:34:58 +0100

So, in this scenario, I am right to consider a combined solution to get a 
"better" security solution - yes?

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: 02 June 2008 16:43
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA/IAG Topologies

MS separates inbound and outbound arrays.
You're right; IAG sux as a fwd proxy and ISA bows to IAG remote client trust 
mechanisms.


-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jason Jones
Sent: Monday, June 02, 2008 7:16 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA/IAG Topologies

As ever, I have left out the details until someone volunteers to help J



I know that IAG *is* ISA, but in the current solution set the ISA "bit" doesn't 
scale very well if you are looking at multiple IAG units to protect a data 
centre for all inbound and outbound access. In this sort of scenario, IAG can't 
really cut it on it's own to facilitate system -to-system communications (and 
authenticated outbound/forward access) and ISA seems much more appropriate. I 
know ISA could be configured to do some of this, but having to create firewall 
policy rules on each appliance and synchronise them across several IAG 
appliances doesn't seem very elegant to me...



So assuming we are looking at an Internet datacentre model (e.g. all the 
clients and untrusted systems are on the outside) I am thinking that both IAG 
and ISA would be needed to provide an elegant solution - yes?


In this model, it seemed to make sense to put ISA on the edge as it can provide 
LB/HA out of the box (with NLB), whereas IAG cannot. ISA can then be used for 
"protection" and IPSec VPN with IAG added for more advanced publishing 
with/without endpoint checking as required.



In the above model, I am leaning towards putting the external interface of IAG 
into an ISA anonymous access DMZ, with both devices connected directly to the 
internal protected network. However, I am curious if this provides little 
benefit and I may as well simplify things by placing IAG in parallel if it will 
be dedicated for remote access duties...



Any chance of a hint at what MS IT do?? ;-)



Jason Jones | Security | Silversands Limited | Desk: +44 (0)1202 360489 | 
Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx



From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: 02 June 2008 14:47
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA/IAG Topologies



..pick one.

..no; really - there is no "boilerplate".



It depends on what you have for application and security requirements.

IAG *is* ISA with some kewl stuff tossed into the mix.

Thus, the question of whether to place IAG or ISA at the edge is equivalent to 
asking "should I place ISA or ISA at the edge?"

Deploying ISAG and ISA side-by-side will be determined by the tasking for each 
as well.

In general, using IAG for fwd traffic is; shall we say, a bit less than easy.

Likewise, trying to duplicate the functionality IAG brings to the application 
publishing game is impossible.



IOW, their relative merits in a given scenario depend largely on what you want 
them to do.



Jim



From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jason Jones
Sent: Monday, June 02, 2008 2:34 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA/IAG Topologies



Hi All,



I was wondering what sort of topologies you guys had used for customers who 
were looking at combined ISA Server and IAG deployments?



For example:



Should ISA be the edge device with IAG in an ISA protected perimeter network?



Should ISA and IAG be placed in parallel?



Should IAG be placed between two ISA Server edge firewalls (e.g. between 
front-end and back-end ISAs)?



Any feedback appreciated...



Cheers



JJ









  ________________________________

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual to whom it is addressed. If you have 
received this email in error, or if you believe this email is unsolicited and 
wish to be removed from any future mailings, please contact our Support Desk 
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx

If this email contains a quotation then unless otherwise stated it is valid for 
7 days and offered subject to Silversands Professional Services Terms and 
Conditions, a copy of which is available on request. Any pricing information, 
design information or information concerning specific Silversands' staff 
contained in this email is considered confidential or of commercial interest 
and exempt from the Freedom of Information Act 2000.

Any view or opinions presented are solely those of the author and do not 
necessarily represent those of Silversands

Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.


________________________________

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual to whom it is addressed. If you have 
received this email in error, or if you believe this email is unsolicited and 
wish to be removed from any future mailings, please contact our Support Desk 
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx

If this email contains a quotation then unless otherwise stated it is valid for 
7 days and offered subject to Silversands Professional Services Terms and 
Conditions, a copy of which is available on request. Any pricing information, 
design information or information concerning specific Silversands' staff 
contained in this email is considered confidential or of commercial interest 
and exempt from the Freedom of Information Act 2000.

Any view or opinions presented are solely those of the author and do not 
necessarily represent those of Silversands

Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.



This email and any files transmitted with it are confidential and intended 
solely for the use of the individual to whom it is addressed.  If you have 
received this email in error, or if you believe this email is unsolicited and 
wish to be removed from any future mailings, please contact our Support Desk 
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx

If this email contains a quotation then unless otherwise stated it is valid for 
7 days and offered subject to Silversands Professional Services Terms and 
Conditions, a copy of which is available on request. Any pricing information, 
design information or information concerning specific Silversands' staff 
contained in this email is considered confidential or of commercial interest 
and exempt from the Freedom of Information Act 2000.

Any view or opinions presented are solely those of the author and do not 
necessarily represent those of Silversands

Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 06-2008