Firewall Wizards mailing list archives
RE: Strange setup
From: "Robert L. Wanamaker" <bobw () avantsystems com>
Date: Thu, 26 Feb 2004 18:26:58 -0500
Greetings. I agree with Paul that without knowing more about the rulesets, etc. it's really impossible to say. But I would say that since you haven't indicated the presence of any hosts on the ISA<->SonicWall segment, then it's not really functioning as a DMZ, but merely as a segment to connect the two devices. This architecture, IMO, can have significant advantages in an MS shop. As Mark indicated, ISA functions as an application layer proxy. I tend to disagree that you must have 2 NIC's and dual-home the server; I know that Microsoft indicates you must, but I have many sites operating with just one segment in MS-Proxy/ISA. It's a bit of torture setting one up the first time this way, but it works fine. The great advantage [IMO] of this architecture is that you can easily setup egress filtering to prohibit all client workstations from accessing the outside world directly, and permit only the ISA server such access. A great thing is that since ISA server is Active Directory aware, it becomes quite easy to manage users and groups at the application level, and restrict access to certain sites based on AD information. Not to mention logging of user activity, blah blah blah. The LAN-backbone<->SonicWall segment is in place to permit mail, and any other non-proxy aware applications to function as needed. If the ISA server was setup single-homed, the overall architecture would be simplified. If that "dmz" truly has no hosts, and is not doing anything, then I think this is a safe bet. Regards, Bob -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of franco segna Sent: Thursday, February 26, 2004 9:39 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Strange setup Hi everybody, I'm being confronted with the following existing setup: T1 -------------------------------- (Internet | LAN backbone | and VPNs) ------------+---+---+-+-+-+-+--- | | | | | | | | | +-------+ local x.x.x.254/24 | | | | | | +- | | Sonic +---------------------+ | | | | +- +--+ Wall | | | | | | Pro +------+ | | | +- SQL +-------+ dmz | | | +-- mail (?) | +--------+ | +--- etc. | | MS ISA | | +--+ 2000 +------+ | Server | x.x.x.251/24 +--------+ The public web server is hosted elsewhere. The LAN comprises 30 workstations. To complicate the matter, the LAN address family x.x.x. is NOT RFC1918-compliant (and is conflicting with existing Internet hosts). The system is up and running, but I cannot understand the bypassing of the ISA server through the direct connection firewall/LAN. And the meaning of DMZ seems to be lost. Anyone can help me to understand the matter ? Thanks in advance Franco Segna --- Franco Segna - fsegna () web de via Dante Alighieri 60 - 31027 Spresiano TV - Italia phone +39 0422 725020 - fax +39 0422 888707 Keys server wwwkeys.pgp.net Key fingerprint = 704C 3070 70A0 680A 760D 025E D849 02AB 2309 87A3 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Strange setup franco segna (Feb 26)
- Re: Strange setup Mark Tinberg (Feb 26)
- RE: Strange setup Robert L. Wanamaker (Feb 26)
- <Possible follow-ups>
- RE: Strange setup Melson, Paul (Feb 26)
- RE: Strange setup Bill Royds (Feb 27)
- RE: Strange setup mcary (Feb 27)
- RE: Strange setup Daniel Linder (Feb 27)
- RE: Strange setup Steven A. Fletcher (Feb 27)
- Multiple small switches vs. a single big one; Granularity of control Shimon Silberschlag (Feb 29)
- RE: Strange setup Sloane, David (Feb 27)