I believe you can - it might be harder, but I'd bet you can. I'd leave packet filtering up to the firewall, since that's what you spent the money on it for.
Keep in mind that Microsoft built ISA to be used in place of a firewall in some setups - that's why the 2 NIC options are described. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > Sent: Monday, November 04, 2002 12:43 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OT? > > > Downside to that is that you cant do packet fileting or > domain filtering with one nic. > > -----Original Message----- > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > Sent: Monday, November 04, 2002 11:25 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OT? > > > You are correct, sort of. > > You can still do packet filtering and inspection on traffic > not destined back through your firewall - you just need to > write the ruleset correctly. > > Personally, were I to add a proxy box to my network, I'd put > it inside the firewall, with a single NIC, and set the > firewall to only allow outbound HTTP to/from that box. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > > Sent: Monday, November 04, 2002 11:40 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] OT? > > > > > > Curious.. I notice all the MS docs for ISA and proxy say to > > do it with 2 nics.. And you cant do any packet filtering or > > stateful inspection with one nic in the server. > > > > Ive also found Linux proxy documentation showing the same thing. > > > > -----Original Message----- > > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > > Sent: Monday, November 04, 2002 10:34 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] OT? > > > > > > Because the 2 NIC solution results in a box bridging your > > firewall. In other words, your firewall is no longer the only > > path between your internal and external networks. > > > > That's generally a bad idea. > > > > ------------------------------------------------------ > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Inovis - Formerly Harbinger and Extricity > > Atlanta, GA > > > > > > > -----Original Message----- > > > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > > > Sent: Monday, November 04, 2002 10:06 AM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ActiveDir] OT? > > > > > > > > > Can you explain why? > > > > > > -----Original Message----- > > > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > > > Sent: Monday, November 04, 2002 9:04 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] OT? > > > > > > > > > You were told correctly. > > > > > > One NIC in the DMZ is the better choice. > > > > > > ------------------------------------------------------ > > > Roger D. Seielstad - MCSE > > > Sr. Systems Administrator > > > Inovis - Formerly Harbinger and Extricity > > > Atlanta, GA > > > > > > > > > > -----Original Message----- > > > > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > > > > Sent: Monday, November 04, 2002 9:55 AM > > > > To: '[EMAIL PROTECTED]' > > > > Subject: [ActiveDir] OT? > > > > > > > > > > > > I dunno if this is off topic.. > > > > but which is more secure? > > > > a proxy (or isa server), with 1 NIC in a DMZ, or a server > > > > with 2 NICs .. one in the DMZ, one on the internal LAN.. > > > > internal NIC has no default gateway. > > > > External NIC has WINS, SERVER service, Workstation service > > > > unbound from the NIC. > > > > > > > > im told a dual NICd proxy is a hole in the firewall. > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
