RE: Strange setup

["Robert L. Wanamaker" <bobw () avantsystems com>]

Greetings.

I agree with Paul that without knowing more about the rulesets, etc. it's
really impossible to say.  But I would say that since you haven't indicated
the presence of any hosts on the ISA<->SonicWall segment, then it's not
really functioning as a DMZ, but merely as a segment to connect the two
devices.

This architecture, IMO, can have significant advantages in an MS shop.  As
Mark indicated, ISA functions as an application layer proxy.  I tend to
disagree that you must have 2 NIC's and dual-home the server; I know that
Microsoft indicates you must, but I have many sites operating with just one
segment in MS-Proxy/ISA.  It's a bit of torture setting one up the first
time this way, but it works fine.

The great advantage [IMO] of this architecture is that you can easily setup
egress filtering to prohibit all client workstations from accessing the
outside world directly, and permit only the ISA server such access.  A great
thing is that since ISA server is Active Directory aware, it becomes quite
easy to manage users and groups at the application level, and restrict
access to certain sites based on AD information.  Not to mention logging of
user activity, blah blah blah.

The LAN-backbone<->SonicWall segment is in place to permit mail, and any
other non-proxy aware applications to function as needed.  If the ISA server
was setup single-homed, the overall architecture would be simplified.

If that "dmz" truly has no hosts, and is not doing anything, then I think
this is a safe bet.

Regards,

Bob

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of franco segna
Sent: Thursday, February 26, 2004 9:39 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Strange setup


Hi everybody,
I'm being confronted with the following existing setup:


    T1                    --------------------------------
(Internet                 |        LAN backbone          |
 and VPNs)                ------------+---+---+-+-+-+-+---
     |                                |   |   | | | | |
     |  +-------+ local x.x.x.254/24  |   |   | | | | +-
     |  | Sonic +---------------------+   |   | | | +-
     +--+  Wall |                         |   | | |
        |  Pro  +------+                  |   | | +- SQL
        +-------+ dmz  |                  |   | +-- mail
                  (?)  |  +--------+      |   +--- etc.
                       |  | MS ISA |      |
                       +--+  2000  +------+
                          | Server | x.x.x.251/24
                          +--------+

The public web server is hosted elsewhere. The LAN comprises 30
workstations.
To complicate the matter, the LAN address family x.x.x. is NOT
RFC1918-compliant (and is conflicting with existing Internet hosts).
The system is up and running, but I cannot understand the bypassing of the
ISA server through the direct connection firewall/LAN. And the meaning of
DMZ seems to be lost.
Anyone can help me to understand the matter ? Thanks in advance

Franco Segna

---

Franco Segna  -  fsegna () web de
via Dante Alighieri 60 - 31027 Spresiano TV - Italia phone +39 0422 725020
-  fax +39 0422 888707

Keys server wwwkeys.pgp.net
Key fingerprint = 704C 3070 70A0 680A 760D  025E D849 02AB 2309 87A3




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards