I am going to try to answer a few MS Proxy questions in the queue.
>From Geoffrey Cheng [[EMAIL PROTECTED]]:
>1) I have heard it can only support at most 2 network interfaces, one in
>and one out, is that true?
I do not know why you would want more than one outgoing since MS's Router
will not do BGP. More than one internal should not be a problem as long as
all internal addresses are in the LAT and the one external is not. Keep in
mind that IP forwarding is disabled so it will not act as a router between
internal segments. They will need to be connected elsewhere if it is
desired. It would be a great way to keep Internet traffic off of other
routers or if you had two networks you did not want to connect for some
reason and only one T1 to the Internet. If MS Proxy is a member of an NT
Domain, it will get confused though since it won't know which network to
look for DC's on. The beauty of MS Proxy is being able to use domain user
permissions (instead of IP's) to grant Internet access by application.
>2) Even if only 2 network interfaces are supported, can I place the
>Primary Domain Control server in protected segment and still offers NT
>services (port 137-139 as I remember) to the external interfaces?
I do not see why you would want NetBIOS services on the external interface.
If you need to have NetBIOS services across the Internet use a VPN tunnel,
not MS Proxy.
>I absolutely understand if I use other Firewalls like Checkpoint, the
>job can be done
>easily. But this time I need to consider it as an option and multiple
>interfaces and NT services proxies are one of the requirements. Thank
>you.
MS Proxy can act as a firewall. The packet filtering is very functional but
the interface is not nearly as user friendly as Check Point's. It's support
of a DMZ is basically by using virtual servers with IIS 4. A more
traditional 3-legged Firewall-1 is much more functional. A deficiency to
consider is that MS Proxy does not handle ICMP at all. You cannot ping or
trace-route with MS Proxy between you and the destination. Maybe the next
version?
[EMAIL PROTECTED] wrote:
> We are having discussions within our company whether the Microsoft Proxy
> Server is an acceptable firewall by itself, i.e., no firewall including
> a screening router between it and the Internet. Any comments are greatly
> appreciated.
>
> Thanks,
As long as you are only interested in keeping the bad out and controlling
and monitoring what your internal users are doing it is a very easy to use
and cost-effective product. If you have various application servers that
should be in a protected DMZ then spend the money on a full-featured
firewall with an interface you can feel confident maintaining.
Chris J. Magnuson [[EMAIL PROTECTED]] wrote:
>Yes it is true. A customer wants to use this. It's my job to set it up
>the best I can.
>If anyone can point to any horror stories or helpful tips on this that
>would be great.
Just make sure you understand what the LAT is for, and that the external
address needs to be left out of it. Unbind the WINs client from the
external address, even if only using only one NIC.
These opinions are not necessarily those of my employer.
Joe Ippolito
winmail.dat
