[THIN] Secure Gateway network location
- From: "Evan Mann" <emann@xxxxxxxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Fri, 15 Jul 2005 23:33:50 -0400
Anyone done much with Secure Gateway? I've got 2 of them (1 for
failover). Pretty neat from what I've played with so far, fairly easy
to setup.
My question is on network placement. My network goes internet -> pix ->
ISA -> trusted. There is nothing on my network that sits in the DMZ
server wide, just a concentrator. All my servers and such are published
through ISA. The exception being Citrix, which will go through the
gateway only.
Things are static nated from the PIX's external interface to it's
internal. ISA's external interface matches with PIX's internal, and
ISA"s internal matches the trusted network. For the purpose of the
gateway, I can put it outside
So I can stick the gateway out in the DMZ, or I can stick it on the
trusted network behind ISA. Right now it's behind ISA so I ISA is
publishing the gateway on port 80/443. Nothing else can get to the
gateway on any other port.
Should I leave it like this, or am I loosing some benefits of the
gateway and/or opening myself up to risk. One of the points of ISA is
to not have to put servers in a DMZ and use ISA to publish them, so it
makes sense from that aspect.
Other related posts:
- » [THIN] Secure Gateway network location
