Hmm... Then I'd definitely put it behind the existing firewall and force people to use it there.
------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > Sent: Monday, November 04, 2002 1:00 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OT? > > > You may be right about MS' design of ISA.. But Ive even seen > their documentation show firwalls and a dual NICd server. > You cannot do packet filtering in ISA or Proxy2.0 with one > nic.. A pop up comes up and confirms that. > > -----Original Message----- > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > Sent: Monday, November 04, 2002 11:51 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OT? > > > I believe you can - it might be harder, but I'd bet you can. > > I'd leave packet filtering up to the firewall, since that's > what you spent the money on it for. > > Keep in mind that Microsoft built ISA to be used in place of > a firewall in some setups - that's why the 2 NIC options are > described. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > > Sent: Monday, November 04, 2002 12:43 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] OT? > > > > > > Downside to that is that you cant do packet fileting or > > domain filtering with one nic. > > > > -----Original Message----- > > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > > Sent: Monday, November 04, 2002 11:25 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] OT? > > > > > > You are correct, sort of. > > > > You can still do packet filtering and inspection on traffic > > not destined back through your firewall - you just need to > > write the ruleset correctly. > > > > Personally, were I to add a proxy box to my network, I'd put > > it inside the firewall, with a single NIC, and set the > > firewall to only allow outbound HTTP to/from that box. > > > > ------------------------------------------------------ > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Inovis - Formerly Harbinger and Extricity > > Atlanta, GA > > > > > > > -----Original Message----- > > > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > > > Sent: Monday, November 04, 2002 11:40 AM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ActiveDir] OT? > > > > > > > > > Curious.. I notice all the MS docs for ISA and proxy say to > > > do it with 2 nics.. And you cant do any packet filtering or > > > stateful inspection with one nic in the server. > > > > > > Ive also found Linux proxy documentation showing the same thing. > > > > > > -----Original Message----- > > > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > > > Sent: Monday, November 04, 2002 10:34 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] OT? > > > > > > > > > Because the 2 NIC solution results in a box bridging your > > > firewall. In other words, your firewall is no longer the only > > > path between your internal and external networks. > > > > > > That's generally a bad idea. > > > > > > ------------------------------------------------------ > > > Roger D. Seielstad - MCSE > > > Sr. Systems Administrator > > > Inovis - Formerly Harbinger and Extricity > > > Atlanta, GA > > > > > > > > > > -----Original Message----- > > > > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > > > > Sent: Monday, November 04, 2002 10:06 AM > > > > To: '[EMAIL PROTECTED]' > > > > Subject: RE: [ActiveDir] OT? > > > > > > > > > > > > Can you explain why? > > > > > > > > -----Original Message----- > > > > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > > > > Sent: Monday, November 04, 2002 9:04 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [ActiveDir] OT? > > > > > > > > > > > > You were told correctly. > > > > > > > > One NIC in the DMZ is the better choice. > > > > > > > > ------------------------------------------------------ > > > > Roger D. Seielstad - MCSE > > > > Sr. Systems Administrator > > > > Inovis - Formerly Harbinger and Extricity > > > > Atlanta, GA > > > > > > > > > > > > > -----Original Message----- > > > > > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > > > > > Sent: Monday, November 04, 2002 9:55 AM > > > > > To: '[EMAIL PROTECTED]' > > > > > Subject: [ActiveDir] OT? > > > > > > > > > > > > > > > I dunno if this is off topic.. > > > > > but which is more secure? > > > > > a proxy (or isa server), with 1 NIC in a DMZ, or a server > > > > > with 2 NICs .. one in the DMZ, one on the internal LAN.. > > > > > internal NIC has no default gateway. > > > > > External NIC has WINS, SERVER service, Workstation service > > > > > unbound from the NIC. > > > > > > > > > > im told a dual NICd proxy is a hole in the firewall. > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
