Downside to that is that you cant do packet fileting or domain filtering with one nic.
-----Original Message-----
From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 04, 2002 11:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT?
You are correct, sort of.
You can still do packet filtering and inspection on traffic not destined back through your firewall - you just need to write the ruleset correctly.
Personally, were I to add a proxy box to my network, I'd put it inside the firewall, with a single NIC, and set the firewall to only allow outbound HTTP to/from that box.
------------------------------------------------------
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA
> -----Original Message-----
> From: MHR(Michael Ross) [mailto:[EMAIL PROTECTED]]
> Sent: Monday, November 04, 2002 11:40 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] OT?
>
>
> Curious.. I notice all the MS docs for ISA and proxy say to
> do it with 2 nics.. And you cant do any packet filtering or
> stateful inspection with one nic in the server.
>
> Ive also found Linux proxy documentation showing the same thing.
>
> -----Original Message-----
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
> Sent: Monday, November 04, 2002 10:34 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OT?
>
>
> Because the 2 NIC solution results in a box bridging your
> firewall. In other words, your firewall is no longer the only
> path between your internal and external networks.
>
> That's generally a bad idea.
>
> ------------------------------------------------------
> Roger D. Seielstad - MCSE
> Sr. Systems Administrator
> Inovis - Formerly Harbinger and Extricity
> Atlanta, GA
>
>
> > -----Original Message-----
> > From: MHR(Michael Ross) [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, November 04, 2002 10:06 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] OT?
> >
> >
> > Can you explain why?
> >
> > -----Original Message-----
> > From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, November 04, 2002 9:04 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] OT?
> >
> >
> > You were told correctly.
> >
> > One NIC in the DMZ is the better choice.
> >
> > ------------------------------------------------------
> > Roger D. Seielstad - MCSE
> > Sr. Systems Administrator
> > Inovis - Formerly Harbinger and Extricity
> > Atlanta, GA
> >
> >
> > > -----Original Message-----
> > > From: MHR(Michael Ross) [mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, November 04, 2002 9:55 AM
> > > To: '[EMAIL PROTECTED]'
> > > Subject: [ActiveDir] OT?
> > >
> > >
> > > I dunno if this is off topic..
> > > but which is more secure?
> > > a proxy (or isa server), with 1 NIC in a DMZ, or a server
> > > with 2 NICs .. one in the DMZ, one on the internal LAN..
> > > internal NIC has no default gateway.
> > > External NIC has WINS, SERVER service, Workstation service
> > > unbound from the NIC.
> > >
> > > im told a dual NICd proxy is a hole in the firewall.
> > >
> > List info : http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> >
> >
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
