PIX DMZ and ISA server
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
PIX DMZ and ISA server

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Firewalls
Author Message
Guest
Posted: Sun Jan 09, 2005 8:55 am    Post subject: PIX DMZ and ISA server Reply with quote
What is the best location for the ISA external interface?

Currently we have the external interface of the ISA server in a dmz behind a
pix firewall. The internal interface is on the internal lan. Is this the
best architexure or is their a better way of doing it?
Back to top
ScriptBoy
Guest
Posted: Sat Jan 15, 2005 5:41 pm    Post subject: Re: PIX DMZ and ISA server Reply with quote
<na@na.com> wrote in news:10u1apfh8cr0uc6@corp.supernews.com:

Quote:
What is the best location for the ISA external interface?

Currently we have the external interface of the ISA server in a dmz
behind a pix firewall. The internal interface is on the internal lan.
Is this the best architexure or is their a better way of doing it?

It all depends on the intent of the ISA server. If you are just using it as
a web caching server/proxy for internal clients, why even have an external
NIC. If you can state the intent of the ISA server, we (readers of this
newsgroup) can provide a better response. If I had to put an ISA server up
that required two NICs, I would install it as you have described above.
Back to top
Scott Lowe
Guest
Posted: Tue Jan 18, 2005 1:34 am    Post subject: Re: PIX DMZ and ISA server Reply with quote
On 2005-01-08 22:55:24 -0500, <na@na.com> said:

Quote:
What is the best location for the ISA external interface?

Currently we have the external interface of the ISA server in a dmz behind a
pix firewall. The internal interface is on the internal lan. Is this the
best architexure or is their a better way of doing it?

If installing ISA in integrated mode (two NICs), then proceed as you
have suggested, keeping in mind how the PIX NAT rules/access lists and
the ISA NAT/publishing rules will interact.

if installing ISA in cache mode (single NIC), then also install it in
the DMZ. You then need only to consider the PIX's NAT rules and
access-list entries.

I would also strongly urge you to investigate the use of products such
as Apache (with mod_ssl, mod_security, etc.) in place of ISA. This
solution can offer much of the same functionality (with regards to
protecting web servers) without any licensing costs. There is a
learning curve, but (IMHO, as one who has been along that curve) it is
worth it.

HTH.

--
Scott Lowe
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Firewalls All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB