Re: MSSQL Server Gateway
- From: "A. Klimkin" <nothanks at microsoft.com>
- Date: Tue, 24 Oct 2006 17:07:59 +0400
The topologie is as simple as mentioned in my previous post.
Two routed internal private class B networks seperated by a firewall.
No extranet/Internet involved.
All I want to know is if ISA Server supports the desired
gateway/concentrator functionality for lowering adminstrativ complexity on
the firewall. (Optional the user authenitfication without installing
additional software on client).
I personaly don't think it's possible to do this with ISA and/or Proxy
Server but I was told otherwise and just try to figure out if I'm wrong
without installing the ISA Server in lab.
Dan,
Considering the fact that the guy, who told you the ISA is able to do what
you want, was me, I feel need to explain you once again everything I tried
to say with my first (and, further, with next) answer.
First of all, let's check if I properly understood what are you asking
about.
Your existing environment:
You have two distinct networks and some firewall between them. You limit
access from one network to other down to particular sockets.
Your target:
You want to tighten internetwork access by applying ACLs on a border device
on per-user (not per-IP) basis.
If I missed or misunderstood something, please let me know.
If you feel I properly described your current config and your goal, I
strongly suggest you to carefully review once again my initial answer. It
contains all the information you need to successfully apply an ISA server to
complete your task.
If some points in my suggestion doesn't meet your expectations, I'm sorry,
but there are some mandatory requirements and other limitations that we
couldn't deny and they would prevent you from using ISA server in your
network, i.e.:
1. You don't want to replace your existing firewall with ISA server.
Sorry, but single-leg (unihomed) ISA configuration is unable to apply
filtering on traffic other than HTTP and FTP. Since your primary need is to
pass SQL traffic, you have to add a second NIC on your ISA server and put it
between your two networks -- instead, or side-by-side with the existing
firewall appliance.
2. You don't want to install additional software on the client side.
Sorry again, without firewall client software the ISA server would unable to
authenticate client requests. Tcp/ip stack couldn't authenticate itself. So
without FWC, you stuck with traditional ACLs by client IP.
Sure, it's not a drama when the ISA server is unable to complete your task.
Any appliance out there is having its application area and some limitations
on configuring and using. It's only your decision -- if you are ready to
leave with that or you decide to find another [you think] more appropriate
solution.
I really don't know what I can add to this. And I hope this helps a bit.
Regards,
Andrew
.
- Follow-Ups:
- Re: MSSQL Server Gateway
- From: Dan
- Re: MSSQL Server Gateway
- References:
- Re: MSSQL Server Gateway
- From: A. Klimkin
- Re: MSSQL Server Gateway
- From: Dan
- Re: MSSQL Server Gateway
- From: Dan
- Re: MSSQL Server Gateway
- Prev by Date: Moving to ISA....questions...
- Next by Date: Re: isa 2006 behind a firewall
- Previous by thread: Re: MSSQL Server Gateway
- Next by thread: Re: MSSQL Server Gateway
- Index(es):
Relevant Pages
|
