RE: Discussion about article on using ISA to protect from PIX (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure



Message


SteveMoffat -> RE: Discussion about article on using ISA to protect from PIX (19.Mar.2009 7:07:06 AM)

And this has got what to do with the original OP's issue?

Start your own thread.




portnoy -> RE: Discussion about article on using ISA to protect from PIX (19.Mar.2009 9:07:55 AM)

I might be confused, but the main topic of the thread is :
titleAndStar(48053,0,true,false,"","")
This article is for discussing the article on using ISA in a PIX DMZ to protect Exchange mail and Web services at http://isaserver.org/tutorials/2004isapixdmz.html

That's the reason I posted the question.




Jason Jones -> RE: Discussion about article on using ISA to protect from PIX (19.Mar.2009 10:08:02 AM)

So they need to see a specific helo banner from the Exchange SMTP server?

I assume you are server publishing Exchange for SMTP with the SMTP filter enabled?

Not good security wise, but you may have to unbind the SMTP security filter to get a "pure" reponse back from Exchange...

Cheers

JJ




portnoy -> RE: Discussion about article on using ISA to protect from PIX (19.Mar.2009 10:09:44 AM)

Wow - thank you. yes, they are looking for a specific helo and yes, we do have SMTP filters enabled. Thank you very much for your help




tshinder -> RE: Discussion about article on using ISA to protect from PIX (22.Mar.2009 11:22:34 AM)

The ISA firewall is not blocking any banner response. Could be the PIX.

HTH,
Tom




portnoy -> RE: Discussion about article on using ISA to protect from PIX (23.Mar.2009 10:04:55 AM)

Thanks to everyone for help, we figured it out over the weekend, the issue was "double" NATing, PIX and then ISA. Once we fixed the ISA side, everything started to work




tshinder -> RE: Discussion about article on using ISA to protect from PIX (24.Mar.2009 8:32:48 AM)

Great!

But what did you need to do on the ISA side? ISA didn't block the banner.

Thanks!
Tom




portnoy -> RE: Discussion about article on using ISA to protect from PIX (24.Mar.2009 11:22:01 AM)

Originally we were NATing traffic on the PIX and on the ISA. We took out ISA NATing, re-enabled external interface to accept incoming from NATed PIX interface and published SMTP and, alas, traffic started to flow!!! Raf




tshinder -> RE: Discussion about article on using ISA to protect from PIX (25.Mar.2009 8:57:09 AM)

OK, it sort of makes sense.

Good to hear you got it working and thanks for the follow up!

Tom




SteveMoffat -> RE: Discussion about article on using ISA to protect from PIX (25.Mar.2009 9:26:33 AM)

It's not just ISA that needs protected from PIX

[;)][;)]




tshinder -> RE: Discussion about article on using ISA to protect from PIX (31.Mar.2009 10:11:10 AM)

It's sort of strange that there are any PIX devices out there -- they were based on a 20th century threat model that's no longer valid. All it does is pass exploits.

Tom




Jason Jones -> RE: Discussion about article on using ISA to protect from PIX (31.Mar.2009 10:25:47 AM)

quote:

ORIGINAL: tshinder

It's sort of strange that there are any PIX devices out there -- they were based on a 20th century threat model that's no longer valid. All it does is pass exploits.

Tom


You mean I'm not protected by Layer 3 firewalls? Ok, I had better put an ISA Server in my DMZ between my Layer 3 firewalls then...




tshinder -> RE: Discussion about article on using ISA to protect from PIX (31.Mar.2009 10:48:53 AM)

I think you need to put TWO layer 3 firewalls in front of and behind the ISA firewall -- you can never be too secure [;)]

Tom




Jason Jones -> RE: Discussion about article on using ISA to protect from PIX (31.Mar.2009 11:31:13 AM)

quote:

ORIGINAL: tshinder

I think you need to put TWO layer 3 firewalls in front of and behind the ISA firewall -- you can never be too secure [;)]

Tom


Ok, sounds good <just for people not detecting the sarcasm, I am joking!) [:D]




tshinder -> RE: Discussion about article on using ISA to protect from PIX (1.Apr.2009 8:48:18 AM)

Same here [:)]

Tom




kblackwel -> RE: Discussion about article on using ISA to protect from PIX (10.Feb.2012 1:47:07 PM)

I know this is an old posting, hoping your still monitoring it.

I've been going over the ISA fireall in a pix config, and I have one concern.

On the ISA firewall, you have the ISA sitting in the DMZ and on the LAN on the internal.

I know this was written some time ago, but from the reading's I have found all suggest the ISA could be a security weak spot. I'm concerned if the machine get's compromised, someone will have direct access to the LAN network.

Your pix setup doesn't seem to suggest that.

Would you continue to use that set up knowing what you know now?

Thanks if your there.




Page: <<   < prev  1 [2]