tshinder -> RE: proxy for exzternal range ( Pls. Dr tom ) (28.Jan.2007 12:39:22 PM)
Well another understand issue here.
mekaneky said he does not really care about security, which means in essence external attacks. He knows he has ISA Firewall mechanisms even as a proxy only and this is enough for him.
When mekaneky also said he wants to provide file sharing from its ISA Server it means he does not have the means to buy another server.
And about the fact hackers could use PC to hack external ressources is just a matter of PC configuration and some policies deployment mainly rather than the ISA Server itself. Some stuffs should be done on the firewall of course I agree but as soon as you open some ports to the external world, this is more a matter of being able to control PC configuration by disabling command line window, installaling programs, allowing only a pool of predefined binaries, ...
There was no need again trying to be smarter, you simply needed to listen up a little bit better.
This is what service is all about. This is not about trying to prove you are better, this is about proposing the best solution possible for your customer. Ideally he should have another server, I agree with you, but this is not the case, so. You deal with what you have and in the meantime you can let the guy know this is not ideal for such and such reason. But simply replying something like "You are a morron this is not the way ISA works" is not helping anybody.
And yes ISA is also a Proxy, and has always been a proxy server.
You are not obliged to use ISA as a real firewall (2 NICs at least).
And as you do not seem to be aware ISA can be installed as a Web Proxy or Caching server only using a single NIC.
Please refer to this article
And stop insulting people this is really annoying now.
With all that said, we definitely do NOT support or endorse "hork mode" single NIC or unsecure configurations on the ISAserver.org site. Microsoft will do it on their site because they want to sell product. We are more concerned with security and best configuration practices for the ISA Firewall. For that reason, most of us will advise people to avoid poor security practices, and do what is best.
The ISA Firewall is no longer a simpile Web proxy device. In ffact, its a firewall with a Web proxy filter bound to it, but the Web proxy features are always tertiary to the Firewall components of the system.