Welcome to ISAserver.org

RE: Discussion about article on using ISA to protect from PIX

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: Discussion about article on using ISA to protect from PIX

Page: << < prev 1 [2]

Message

<< Older Topic Newer Topic >>

RE: Discussion about article on using ISA to protect fr... - 19.Mar.2009 7:07:06 AM

SteveMoffat

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline

And this has got what to do with the original OP's issue?

Start your own thread.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to portnoy)

Post #: 21

Featured Links*

RE: Discussion about article on using ISA to protect fr... - 19.Mar.2009 9:07:55 AM

portnoy

Posts: 5
Joined: 18.Mar.2009
Status: offline

I might be confused, but the main topic of the thread is :
titleAndStar(48053,0,true,false,"","")
This article is for discussing the article on using ISA in a PIX DMZ to protect Exchange mail and Web services at http://isaserver.org/tutorials/2004isapixdmz.html

That's the reason I posted the question.

(in reply to SteveMoffat)

Post #: 22

RE: Discussion about article on using ISA to protect fr... - 19.Mar.2009 10:08:02 AM

Jason Jones

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

So they need to see a specific helo banner from the Exchange SMTP server?

I assume you are server publishing Exchange for SMTP with the SMTP filter enabled?

Not good security wise, but you may have to unbind the SMTP security filter to get a "pure" reponse back from Exchange...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to portnoy)

Post #: 23

RE: Discussion about article on using ISA to protect fr... - 19.Mar.2009 10:09:44 AM

portnoy

Posts: 5
Joined: 18.Mar.2009
Status: offline

Wow - thank you. yes, they are looking for a specific helo and yes, we do have SMTP filters enabled. Thank you very much for your help

(in reply to Jason Jones)

Post #: 24

RE: Discussion about article on using ISA to protect fr... - 22.Mar.2009 11:22:34 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

The ISA firewall is not blocking any banner response. Could be the PIX.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to portnoy)

Post #: 25

RE: Discussion about article on using ISA to protect fr... - 23.Mar.2009 10:04:55 AM

portnoy

Posts: 5
Joined: 18.Mar.2009
Status: offline

Thanks to everyone for help, we figured it out over the weekend, the issue was "double" NATing, PIX and then ISA. Once we fixed the ISA side, everything started to work

(in reply to tshinder)

Post #: 26

RE: Discussion about article on using ISA to protect fr... - 24.Mar.2009 8:32:48 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Great!

But what did you need to do on the ISA side? ISA didn't block the banner.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to portnoy)

Post #: 27

RE: Discussion about article on using ISA to protect fr... - 24.Mar.2009 11:22:01 AM

portnoy

Posts: 5
Joined: 18.Mar.2009
Status: offline

Originally we were NATing traffic on the PIX and on the ISA. We took out ISA NATing, re-enabled external interface to accept incoming from NATed PIX interface and published SMTP and, alas, traffic started to flow!!! Raf

(in reply to tshinder)

Post #: 28

RE: Discussion about article on using ISA to protect fr... - 25.Mar.2009 8:57:09 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

OK, it sort of makes sense.

Good to hear you got it working and thanks for the follow up!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to portnoy)

Post #: 29

RE: Discussion about article on using ISA to protect fr... - 25.Mar.2009 9:26:33 AM

SteveMoffat

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline

It's not just ISA that needs protected from PIX

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to tshinder)

Post #: 30

RE: Discussion about article on using ISA to protect fr... - 31.Mar.2009 10:11:10 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

It's sort of strange that there are any PIX devices out there -- they were based on a 20th century threat model that's no longer valid. All it does is pass exploits.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to SteveMoffat)

Post #: 31

RE: Discussion about article on using ISA to protect fr... - 31.Mar.2009 10:25:47 AM

Jason Jones

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

quote:

ORIGINAL: tshinder

It's sort of strange that there are any PIX devices out there -- they were based on a 20th century threat model that's no longer valid. All it does is pass exploits.

Tom

You mean I'm not protected by Layer 3 firewalls? Ok, I had better put an ISA Server in my DMZ between my Layer 3 firewalls then...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)

Post #: 32

RE: Discussion about article on using ISA to protect fr... - 31.Mar.2009 10:48:53 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

I think you need to put TWO layer 3 firewalls in front of and behind the ISA firewall -- you can never be too secure

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)

Post #: 33

RE: Discussion about article on using ISA to protect fr... - 31.Mar.2009 11:31:13 AM

Jason Jones

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

quote:

ORIGINAL: tshinder

I think you need to put TWO layer 3 firewalls in front of and behind the ISA firewall -- you can never be too secure

Tom

Ok, sounds good <just for people not detecting the sarcasm, I am joking!)

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)

Post #: 34

RE: Discussion about article on using ISA to protect fr... - 1.Apr.2009 8:48:18 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Same here

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)

Post #: 35

RE: Discussion about article on using ISA to protect fr... - 10.Feb.2012 1:47:07 PM

kblackwel

Posts: 3
Joined: 10.Feb.2012
Status: offline

I know this is an old posting, hoping your still monitoring it.

I've been going over the ISA fireall in a pix config, and I have one concern.

On the ISA firewall, you have the ISA sitting in the DMZ and on the LAN on the internal.

I know this was written some time ago, but from the reading's I have found all suggest the ISA could be a security weak spot. I'm concerned if the machine get's compromised, someone will have direct access to the LAN network.

Your pix setup doesn't seem to suggest that.

Would you continue to use that set up knowing what you know now?

Thanks if your there.

(in reply to tshinder)

Post #: 36