Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
290
Views
0
Helpful
2
Replies

PIX and Microsoft ISA 2004

TYLER WEST
Level 1
Level 1

‎07-22-2005 11:32 AM - edited ‎02-21-2020 12:17 AM

We currently have a configuration of redundant PIX 525s and are in the process of planning and designing an implementation of Microsoft ISA 2004 on an appliance. There are, if you will, two factions with ideas on how this should be done. Our MS Administration team wants to plant ISA's outside interface on one of the three DMZs behind the PIX and they want the inside interface to have unrestricted, unfettered access to the inside network. The Networking team, of which I am a part, wants to also put ISA's outside interface in the "outermost" DMZ but we also want the inside interface in the "innermost" DMZ forcing the inside traffic back through packet filtering before hitting the inside network. The "innermost" DMZ has been defined with a ruleset that does not allow direct access from the outside , unsecured network but does allow limited traffic to pass from the other DMZs and the inside network. It has been used primarily for the middle-tier of multi-tiered architectures. We realize that we would have to permit Kerberos, LDAP, RPC, DNS, etc. from ISA through the PIX to a limited number of inside systems. Our primary concern with the other design is that the ISA appliance will be terminating client connections for web traffic and other things so it operates as a publicly accessible host. The questions come down to this...

Are there any glaring issues with protecting both sides with the FW?

Can someone point me to documentation or standards that would recommend that a system of this nature be totally contained within a FW?

Any legitimate arguments that we could use to sell our design would be helpful. At the same time any assurances with justification that the ISA 2004 appliance is secure enough to plant the inside interface totally on the inside of the network would be welcomed as well.

Thanks,

Tyler West

Sr. Network Engineer

0 Helpful
2 Replies 2

owensgl
Level 1
Level 1

‎07-22-2005 12:18 PM

They can accomplish the same thing with a Unihomed ISA connection in the DMZ. We are using it at my job because we reject the Microsoft Engineers request for security reasons

0 Helpful

TYLER WEST
Level 1
Level 1
In response to owensgl

‎07-22-2005 01:29 PM

Thank you for your quick reply. I unfortunately don't have the luxury of simply rejecting their request. I must show some amount of justification to validate my concerns. We have our own reasons for our proposed design and we probably share some of those. What were some of the specific reasons you disallowed the configuration that puts the ISA inside interface on the internal network?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card