RE: What do you think about this design:PIX is in place, but make ISA

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: CMAN (CMAN_at_discussions.microsoft.com)
Date: 02/14/05

  • Next message: Johnny: "VPN Client Connections / Local ISA VPN Server" 
    Date: Mon, 14 Feb 2005 10:13:05 -0800

    Marlon,

    you can also consider using an outside router to block all packets except
    for the ones going to the ISA server so that you dont get unnecessary packets
    hitting the ISA server (or the PIX for that matter. Basic router based ACL
    will do that trick. This ensures that your ISA server will only see
    HTTP/HTTPS packets and will really just do content filtering (Application
    level firewalling) on those packets - more in depth...and more secure....

    CMAN

    "Marlon Brown" wrote:

    > We have a network administrator that handles the Cisco firewalls and DMZ
    > setup.
    > My request was to setup the ISA 2004 in the DMZ, like this:
    > Internet->PIX->ISA2004->Internal Network [FE 2003]
    >
    > However, because the network admin seems not to "trust ISA", he persists
    > that I should setup ISA 2004 as a firewall (paralellel to the existing Cisco
    > firewall). That way instead of just doing the web publishing to protect OWA
    > 2003, ISA 2004 would be doing Firewalling+Web publishing.
    >
    > I am sure ISA 2004 is able to handle this, the problem is that I am
    > concerned that the CPU load when doing firewalling can actually eat up
    > processing power from hte web publishing ? (ISA 2004 is new dual proc, 2GB
    > server).
    >
    > In addition, I am wondering if it is viable all the work to maintain ISA
    > 2004 as a firewall when we already have a Cisco firewall doing the
    > traditional network layer firewalling part.
    >
    > Please tell me what you think about this and opine about such proposal to
    > make ISA 2004 work as a firewall, when I already have a Cisco firewall up
    > and running.
    >
    >
    >

  • Next message: Johnny: "VPN Client Connections / Local ISA VPN Server"

    Relevant Pages

    • Re: CEICW fails - several errors
      ... The firewall isn't used when ISA is installed. ... On the WAN NIC of your server the DNS has to point to the LAN IP. ... I immediately checked and ISA Server ...
      (microsoft.public.windows.server.sbs)
    • Re: Outbound VPN
      ... Your SBS client cannot establish PPTP VPN through ISA 2004. ... Chapter 6: ISA Server 2004 VPN Deployment Kit: Configuring the ISA Server ... 2004 Firewall for Outbound PPTP and L2TP/IPSec Access ...
      (microsoft.public.windows.server.sbs)
    • Re: T1 connection slow - firewall config issue
      ... domain controller, a isa server, and a Mail server among others. ... if the firewall is disabled... ... does Anyone have any configuration suggestions, or any ideas as to why ...
      (microsoft.public.isa)
    • Re: Trying to understand this behavior, Ports in IIS
      ... That tells me the ISA server was accepting the connections. ... assign port 8080. ... In the border router and in the PIX firewall (both devices are "in front of" ...
      (microsoft.public.inetserver.iis.security)
    • RE: ISA2004 post upgrade cleanout
      ... run it 3 or 4 times before it went through the firewall cleanly. ... > I think that the simple way is to change the ISA settings to the SBS ... please also delete the "Microsoft ISA server" folder ...
      (microsoft.public.windows.server.sbs)