You are correct, sort of. You can still do packet filtering and inspection on traffic not destined back through your firewall - you just need to write the ruleset correctly.
Personally, were I to add a proxy box to my network, I'd put it inside the firewall, with a single NIC, and set the firewall to only allow outbound HTTP to/from that box. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > Sent: Monday, November 04, 2002 11:40 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OT? > > > Curious.. I notice all the MS docs for ISA and proxy say to > do it with 2 nics.. And you cant do any packet filtering or > stateful inspection with one nic in the server. > > Ive also found Linux proxy documentation showing the same thing. > > -----Original Message----- > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > Sent: Monday, November 04, 2002 10:34 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OT? > > > Because the 2 NIC solution results in a box bridging your > firewall. In other words, your firewall is no longer the only > path between your internal and external networks. > > That's generally a bad idea. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > > Sent: Monday, November 04, 2002 10:06 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] OT? > > > > > > Can you explain why? > > > > -----Original Message----- > > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > > Sent: Monday, November 04, 2002 9:04 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] OT? > > > > > > You were told correctly. > > > > One NIC in the DMZ is the better choice. > > > > ------------------------------------------------------ > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Inovis - Formerly Harbinger and Extricity > > Atlanta, GA > > > > > > > -----Original Message----- > > > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > > > Sent: Monday, November 04, 2002 9:55 AM > > > To: '[EMAIL PROTECTED]' > > > Subject: [ActiveDir] OT? > > > > > > > > > I dunno if this is off topic.. > > > but which is more secure? > > > a proxy (or isa server), with 1 NIC in a DMZ, or a server > > > with 2 NICs .. one in the DMZ, one on the internal LAN.. > > > internal NIC has no default gateway. > > > External NIC has WINS, SERVER service, Workstation service > > > unbound from the NIC. > > > > > > im told a dual NICd proxy is a hole in the firewall. > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
