Re: SBS With firewall & DMZ - Use ISA or not?
- From: "CCMiami" <nospam@xxxxxxxxxxxxxxx>
- Date: Thu, 10 Nov 2005 21:44:42 -0500
Why not go through sbs? Well, single and fragile point of failure and
security risk for one thing. Having all the services, firewall & vpn on one
box seems like it could be a problem, even with something outside it - if it
goes (or even just have to reboot) so goes the entire network. Can't really
harden a server with all those services.
Also I don't know if going through that layer is going to cause
compatibility or performance issues. And, I don't really want to set up
proxy clients because many of the omputers are laptops.
I really intended to just get a server with exchange, it seems to kind of
want to take over - perhaps should just let it!
As far as IIS - when I installed ISA it said something about shutting down
IIS.
On the other hand, I could just trust MS :)
Perhaps these are not really good concerns, not really an expert at this.
Thanks,
"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:u%23Ko2ll5FHA.1276@xxxxxxxxxxxxxxxxxxxxxxx
>I agree with Trevor. I'm not sure exactly what you're asking, but yes, all
>connections between LAN clients and the Internet go through the SBS box.
>That's the only way you're forcing them through the ISA firewall. As
>Trevor says, you can allow any inbound access you're comfortable with while
>still using ISA. I'm using the Sonicwall to provide an extra layer of
>protection in addition to ISA. As an old-time SBS user, I really view ISA
>as the primary firewall.
>
> Using RWW, you'll have secure inbound access to Exchange (OWA),
> Sharepoint, and the desktop PCs. If you're not looking to provide inbound
> access other than for your internal users, that should be all you need.
> It'll work great through the Sonicwall and ISA, and be a lot more secure
> than a solution that works around ISA. Why don't you want your client
> connections to go through the SBS?
>
>
> "Trevor" <thetrev68 @ gmail.com> wrote in message
> news:%23C8qifl5FHA.3136@xxxxxxxxxxxxxxxxxxxxxxx
>> ISA and IIS can coexist. OWA, RWW, sharepoint, etc. all run fine on SBS
>> boxes. Configuration is super easy. Let the wizard do it. In my case,
>> I also have 2 separate ecommerce webservers behind my ISA without issue.
>>
>> -Trevor
>>
>>
>> "CCMiami" <nospam@xxxxxxxxxxxxxxx> wrote in message
>> news:HqQcf.1077$sg5.207@xxxxxxxxxxxxx
>>> So you are running the clients through SBS - right? Or just the
>>> external services?
>>> For one thing with ISA it says you can't have IIS (At least on port 80),
>>> but IIS is nessisary for all the exchange stuff and an exteran lsite (I
>>> could set up external sites on another box if I had to). So that may
>>> take away a lot of the exchange/sharepoint/company web functionality.
>>> So I did a test setup with 2 nics but it then seemed to want to force
>>> the clients throught SBS, which doen not seem nessisary (and I never did
>>> get web clients to work but this may be the IIS thing).
>>> There is not option for this, So what I am thinking is I should install
>>> it as a local lan setup and then add a NIC for the outside-DMZ.
>>> Does this make sense?
>>>
>>> "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
>>> message news:OTUisck5FHA.3384@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Sorry to not really answer your question. I'm running Premium with ISA
>>>> behind a Sonicwall. IMO, even though this is overkill in that I would
>>>> trust either the Sonicwall or ISA separately, I see value in having the
>>>> added layer of protection.
>>>>
>>>> So what I'm doing is that I run the Sonicwall with a single connection
>>>> to the ISP on the WAN side and a single connection to the 2nd NIC in
>>>> the SBS on the LAN side. I don't find ISA to be particularly complex -
>>>> you can let the CEICW configure it. What I'm running is the
>>>> traditional SBS/ISA behind NAT router configuration that many SBS'ers
>>>> have been using since the SBS 4 days, just that I'm using the Sonicwall
>>>> instead of a Linksys.
>>>>
>>>> As soon as I can get some cable installed, I'm going to connect a
>>>> wireless access point to the OPT port on the Sonicwall. This will
>>>> provide wireless Internet access to guests, while completely isolating
>>>> them from our LAN.
>>>>
>>>> ISA gives you more control, plus monitoring, logging, and caching. I'm
>>>> happy with the configuration I'm using, and I'm not planning to change
>>>> anything when I replace my SBS hardware in the near future. IMO having
>>>> paid for ISA, you might as well use it.
>>>>
>>>>
>>>>
>>>>
>>>> "CCMiami" <nospam@xxxxxxxxxxxxxxx> wrote in message
>>>> news:sOPcf.1076$sg5.183@xxxxxxxxxxxxx
>>>>> Wow - that was fast!
>>>>> Is ther any "special" way to configure it when I don't want it to be
>>>>> the gateway? (Seems to make things more complex - have to configure
>>>>> proxies and such)
>>>>>
>>>>> And do you still use ISA?
>>>>> Thanks!
>>>>>
>>>>> "Cris Hanna [SBS-MVP]"
>>>>> <crisno_spamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>> news:%23nT60Tk5FHA.2600@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>2 nics...always
>>>>>>
>>>>>> --
>>>>>> Cris Hanna [SBS-MVP]
>>>>>> -----------------------------------------------
>>>>>> Please do not contact me directly. Please only repond here in the
>>>>>> newsgroup for the benefit of all.
>>>>>> "CCMiami" <nospam@xxxxxxxxxxxxxxx> wrote in message
>>>>>> news:YzPcf.1074$sg5.52@xxxxxxxxxxxxx
>>>>>>> Hi!
>>>>>>> I am putting a new SBS-Premium behine a hardware firewall
>>>>>>> (Sonicwall). The question is this; Is it better to set it up with a
>>>>>>> single network connection in the DMZ (Not use ISA) and then have
>>>>>>> clients and the "outside" and inside go through that same port or is
>>>>>>> it better to use 2 network connections, one in the DMZ (Behind ISA)
>>>>>>> and one in the LAN? It would seem there would be some advantage to
>>>>>>> still using ISA (As just a firewall) for the external connections
>>>>>>> while having the LAN connection more open. On the other hand, this
>>>>>>> may just introduce complextity or other problems. In neither case I
>>>>>>> don't expect the clients to proxy through the SBS.
>>>>>>>
>>>>>>> Also, if it did make sense to set it up with 2 lans and ISA, which
>>>>>>> ISA option would that be (I think it was something like forewall,
>>>>>>> server or dual)? I would also like to run IIS and I think one of
>>>>>>> these options did not allow IIS (So many options, so little time).
>>>>>>>
>>>>>>> I have to admit that in experimenting I find ISA very complex, it is
>>>>>>> hard to see how to do things that are quite simple on a regular
>>>>>>> firewall. I'm sure the options are there - but finding them is a
>>>>>>> chore.
>>>>>>>
>>>>>>> Any thoughts?
>>>>>>>
>>>>>>> Thanks in advance!
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
.
- Prev by Date: RE: exchange server cannot mount mailbox store
- Next by Date: Re: sbs CAL's
- Previous by thread: RE: exchange server cannot mount mailbox store
- Next by thread: RE: SBS/ISA event 7024
- Index(es):
Relevant Pages
|
