Welcome to ISAserver.org

Web publishing - has to be done in firewall mode in ISA 2004 SE?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Web publishing - has to be done in firewall mode in ISA 2004 SE?

Page: [1]

Message

<< Older Topic Newer Topic >>

Web publishing - has to be done in firewall mode in ISA... - 12.Oct.2004 7:26:00 PM

ristic

Posts: 4
Joined: 12.Oct.2004
From: Washington, DC
Status: offline

In ISA 2000 SE when installing you get prompted do you want to install in firewall mode, cashing only or integrated - in ISA 2004 SE you never get that choice, its firewall mode only? Even when I have only one NIC and all I wan't to do is web publishing (I use Cisco PIX firwalls so no need for ISA in firewall mode) - in ISA 2004 I have to use it in firewall mode? Or am I mission something...?

Thanks!

Post #: 1

Featured Links*

RE: Web publishing - has to be done in firewall mode in... - 12.Oct.2004 7:57:00 PM

tshinder

Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Ristic,

I'd SERIOUSLY reconsider your asssement regarding not needing the ISA firewall as a firewall. The PIX is a simple packet filter. Personally, I would NEVER trust my own assests and those I in charge of protecting to a packet filter like PIX.

You can use the PIX packet filter to offload some processing off the ISA firewall, but don't fool yourself that the PIX is providing real firewall protection.

HTH,
Tom

[ October 12, 2004, 07:57 PM: Message edited by: tshinder ]

(in reply to ristic)

Post #: 2

RE: Web publishing - has to be done in firewall mode in... - 12.Oct.2004 8:01:00 PM

ristic

Posts: 4
Joined: 12.Oct.2004
From: Washington, DC
Status: offline

Thanks Tom. We will reconsider, I hope. It's a big organization with big Cisco and Unix shops and not too keen of Microsoft products. I know what you're talking about but they don't listen. Anyhow, back to my question if we may please, does ISA 2004 support cashing only mode? You see, your book is not out on Amazon yet, I can't wait [Smile]

(in reply to ristic)

Post #: 3

RE: Web publishing - has to be done in firewall mode in... - 22.Oct.2004 12:04:00 PM

Jeroen_317

Posts: 75
Joined: 18.Dec.2002
From: Belgium
Status: offline

ISA2004 always has the firewall enabled because *grmblz* they implemented the web proxy into the firewall service so it has the be running. I heard it was required for enhancing speed...

If anyone know of a configuration or registry hack which disables the firewalling and only enables the web proxying, I would be VERY thankful.

Jeroen.

(in reply to ristic)

Post #: 4

RE: Web publishing - has to be done in firewall mode in... - 22.Oct.2004 3:38:00 PM

Jeroen_317

Posts: 75
Joined: 18.Dec.2002
From: Belgium
Status: offline

Okay, I've found the solution for usage in a DMZ.

You have to use the Single Network Adapter template and accept the range that is chosen for the Internal network.

It's a bit strange for me because that range is 0.0.0.1-126.255.255.255 and 128.0.0.0-255.255.255.254 which means everything except the 127.0.0.0/8 range. The object "External" now has no meaning anymore... the picture they use for this template is misleading in my opinion.

I changed the "Internal"-range to the real internal range according to the picture.

I created an access rule from Localhost to Internal, but I cannot do a thing. The logging shows denied but it also shows connections from and to the ranges which I had permitted. So they should be allowed, I don't understand this...did the template change other things?

It appears you have to use the range with only 127.0.0.0/8 and don't you dare changing that...

ISA 2004 is a big step forward in the firewall market but you have to know it well...it's a challenge [Wink]

Can someone explain me why I have to use that special range for my internal object?

In my opinion the picture that Microsoft uses, should be changed...I mean when you look at it, it is as if there is no firewall between Internal and External. And when you look in the Internal object, it shows every IP except the 127.0.0.0-range... [Confused]