topic Re: PIX and Microsoft ISA integration --swamy in Network Security

PIX and Microsoft ISA integration --swamy

brindha — Fri, 21 Feb 2020 08:19:19 GMT

Dear Pros,

I instaled 2 pix 525 in failover config for the internal server farm VLAN. It is working and tested.Now I wants to add 2 ISA server in series to the pixs placing the ISA before the pix behind internet routers.

The order of the devices are as follow

Internet-Inetrouter WAN-inetrouterLAN-L2 switch-2ISA servers out side NICS connected to L2 switch-ISA servers inside NICS each to outside int of each PIX firewall -PIX firewalloutside to each inside nic of ISA- PIX firewall inside to 2 core switches (in hsrp) 4507R in redundancy -severs clusters with 2 nics to each core switch in same VLAN.

I achieved the failover upto PIX firewall.But Now I want to know how can place the ISA servers befoer the PIX firewall?

I am in the need of implementing it in datacentre environment.

Pls provide me the correct solution

Thanks

swamy

Re: PIX and Microsoft ISA integration --swamy

Solace — Wed, 10 Aug 2005 16:18:29 GMT

I would say you're doing it the wrong way around. My suggestion would be:

[Internet] <-> [PIX] <-> [ISA] <-> [Workstations/Servers]

I say this for a number of reasons.

1. The PIX is primarily a layer 2 device, it will block ports and ensure integrity and RFC compliance at that level (it does some protocol analysis but no where near the ISA's level {see below}).

2. SSL offloading, the ISA can offload inbound SSL connections. PIX can't.

3. Active directory integration - ISA integrates into AD, this is certainly possible to do through a PIX but it's a pain (static port mapping within the Windows for AD needs to be configured).

3. RPC - Microsoft's internal non published push for ISA allows the developers access to the specific RPC protocol requirements for Outlook and other Microsoft products. (PIX, Checkpoint and other firewall products - don't implement these).

4. ISA clients - outbound tunnelled connectivity (similar to SOCK5) through the ISA client can be controlled through the external PIX, your way around these would be bypassed.

5. You're trusting Cisco's TCP/IP stack over Windows. Which is always a matter of option by logic dictates that the larger amount of code the higher the probability of a flaw. At last check Cisco's PIX image was around 16MB, Windows is around 350MB.

Also if you're implementing a backend scenario would of course install more firewalls to segment the front-end and back-end.

My 2c.

Views expressed here are my own and in no way reflect those of my employer etc etc etc.

Re: PIX and Microsoft ISA integration --swamy

brindha — Tue, 16 Aug 2005 05:11:05 GMT

Dear Solace,

Thank you for your advice. I convinced my IT team and they accepted this design what you have suggested.

Now I have a question

Can we get the failover IF we connect each ISA inside to one of the 2 core switches configured in failover config. If one ISA down other one should take over

PIX also in failover config series to ISA.

The final design is we need to have no single point of failover from pix to internal servers.

Pls suggest your solution on each device

Thanks

swamy