Re: ISA 2004 Enterprise in Checkpoint DMZs
- From: "ZVR" <no_spam_ever@xxxxxx>
- Date: Tue, 1 Aug 2006 00:42:37 -0400
Hi there,
Your proposed configuration with ISA having two interfaces in two separate
DMZ's is an overly complicated contraption that will not work, and even if
it _could_ be made to work it would be a nightmare to administer.
The key concept here is that ISA really shines in configurations where its
internal interface is connected to the LAN. That is the perfect textbook
example for Exchange publishing. Of course you can place another firewall in
front of ISA in this scenario, for an even more secure (read paranoid)
deployment. That is called a back-to-back firewall topology and it is what
you would do - seeing as the Checkpoint needs to stay in place.
So basically what you do, is alter your suggested diagram a little, so that
the 2nd ISA interface connects to the Internal network, instead of
connecting to that "DMZ2" contraption. Obviously in this topology you don't
need routes or to open "blanket" ports through DMZ2 - you only need to open
ports in Checkpoint for the published services.
Having said that, here's an article that deals with this exact kind of
setup - except the front firewall is another ISA not a Checkpoint; concepts
apply word for word though.
Publishing an OWA Site in a Back to Back ISA Firewall Configuration
http://www.isaserver.org/tutorials/Publishing-OWA-Site-Back-to-Back-ISA-Firewall-Part1.html
Virgil
.
- Follow-Ups:
- Prev by Date: UDP Rule Ignored
- Next by Date: Re: Multihoming
- Previous by thread: UDP Rule Ignored
- Next by thread: Re: ISA 2004 Enterprise in Checkpoint DMZs
- Index(es):
Relevant Pages
|
