That's how we do it. I have set up VPN for the external users that need to have email to connect through.
lol...the way people worshipped ISA, I thought EVERYONE used it and I was the IDIOT that didn't know about it 
turns out, not that many people use ISA...maybe because of trust issue? afterall, it is M$ security
ya, we do the same as spyordie007 with the dedicated SMTP relay server. we do have FE for OWA though, but it is locked down just for OWA and not the typical FE setup.
as for ISA being the best FW...it's not. I checked it out last night on microsoft and looked at most of the documentation. It offers no where near the features my current fw offers...one being ssl vpn. at least not natively, you'd have to go through another 3rd party vendor or device to achieve that functionality....
ISA looking at vpn traffic, I couldn't find where it says ISA will do this. The most I will believe is that ISA will look at ISA to ISA vpn traffic. but what about ISA to another vendor (if isa supports this). I doubt ISA will know how to decrypt ALL VPN traffic. Even if it does, you shouldn't allow your internal users to establish VPN traffic with anyone outside of your network anyways. This is easily blocked with good fw policy.
ISA looking at ssl traffic, again I couldn't find good documentation about this. It does say ISA will do ssl-to-ssl bridging(which is really cool), but does not mention that it supports all types of SSL certs. Does it only support microsoft's certificate authorities, or does it work with vendors like verisign? If only microsoft's CA's, I'm not sure if too many people in the world trust microsoft CA This is for incoming SSL traffic to your web servers that provide SSL. what about outgoing ssl traffic? does isa look at that as well and block malicious outgoing activity hidden behind ssl? (again which vendors?) I doubt it...
the other things I couldn't find about ISA are: does it protect from the REAL bad stuff like
cross site scripting
sql, command and LDAP injection
SPI for VOIP and SIP
will it route through VPN's? <--
I think I will stick with my FW's /pets them
I'm still learning about ISA, so if I'm wrong about any of this, please feel free to point out and provide link. I'm very interested in learning about ISA, and any FW's in general. thx
turns out, not that many people use ISA...maybe because of trust issue? afterall, it is M$ security
ya, we do the same as spyordie007 with the dedicated SMTP relay server. we do have FE for OWA though, but it is locked down just for OWA and not the typical FE setup.
as for ISA being the best FW...it's not. I checked it out last night on microsoft and looked at most of the documentation. It offers no where near the features my current fw offers...one being ssl vpn. at least not natively, you'd have to go through another 3rd party vendor or device to achieve that functionality....
ISA looking at vpn traffic, I couldn't find where it says ISA will do this. The most I will believe is that ISA will look at ISA to ISA vpn traffic. but what about ISA to another vendor (if isa supports this). I doubt ISA will know how to decrypt ALL VPN traffic. Even if it does, you shouldn't allow your internal users to establish VPN traffic with anyone outside of your network anyways. This is easily blocked with good fw policy.
ISA looking at ssl traffic, again I couldn't find good documentation about this. It does say ISA will do ssl-to-ssl bridging(which is really cool), but does not mention that it supports all types of SSL certs. Does it only support microsoft's certificate authorities, or does it work with vendors like verisign? If only microsoft's CA's, I'm not sure if too many people in the world trust microsoft CA
This is for incoming SSL traffic to your web servers that provide SSL. what about outgoing ssl traffic? does isa look at that as well and block malicious outgoing activity hidden behind ssl? (again which vendors?) I doubt it...the other things I couldn't find about ISA are: does it protect from the REAL bad stuff like
cross site scripting
sql, command and LDAP injection
SPI for VOIP and SIP
will it route through VPN's? <--
I think I will stick with my FW's /pets them
I'm still learning about ISA, so if I'm wrong about any of this, please feel free to point out and provide link. I'm very interested in learning about ISA, and any FW's in general. thx
hmm... ISA is indeed cheaper than other enterprise firewalls.
im going to play with vmware esx server evaluation. the server will have 2 windows 2003 OSs installed; one as the DC and the other as the exchange server. i'm not sure how many NICS i should have on that box though. should i have one NIC for each OS (2), or just share a single NIC for the DC and exchange servers?
also, since i'll need a second NIC for ISA server, does intel pro 10/100 seem to be the best all-around NIC? i found 5 NICS for about $20 shipped.
im going to play with vmware esx server evaluation. the server will have 2 windows 2003 OSs installed; one as the DC and the other as the exchange server. i'm not sure how many NICS i should have on that box though. should i have one NIC for each OS (2), or just share a single NIC for the DC and exchange servers?
also, since i'll need a second NIC for ISA server, does intel pro 10/100 seem to be the best all-around NIC? i found 5 NICS for about $20 shipped.
It will work with any standard SSL cert. Verisign, Thawte, Microsoft, whatever. In fact, it is probably more common that you find an ISA server using a third party cert, because otherwise you would need to get everyone accessing that site to trust your internal root CA.
Microsoft CAs are used extensively throughout the US government and many private and public companies. If you are refering to trust in a logical sense, you would be correct, since it would be impossible for all computers to trust every Microsoft-based PKI that someone sets up. Microsoft is not in the business of providing certificates for external use (a la verisign), but Windows PKIs are used all the time for smartcard logon, code signing, internal websites, etc.
Uh, yes ISA will most definitely protect against these. That's the whole idea behind a layer 7 firewall. It can look into a packet and determine if a particular payload should be going to a particular type of application.
One additional thing related to your Microsoft CA and trust quip. Microsoft certificate services (on Server 2003) is certified under the Common Criteria at EAL 4+, as is the underlying platform (Server 2003 SP1)
http://www.microsoft.com/presspass/press/2005/dec05/12-14CommonCriteriaPR.mspx
http://www.microsoft.com/presspass/press/2005/dec05/12-14CommonCriteriaPR.mspx
RebateMonger
Elite Member
- Dec 24, 2005
- 11,586
- 0
- 0
ISA works with any SSL certificate you care to use. And, yes, it scans both incoming and outgoing SSL traffic.Originally posted by: FreshPrince
ISA looking at ssl traffic, again I couldn't find good documentation about this. It does say ISA will do ssl-to-ssl bridging(which is really cool), but does not mention that it supports all types of SSL certs. Does it only support microsoft's certificate authorities, or does it work with vendors like verisign? If only microsoft's CA's, I'm not sure if too many people in the world trust microsoft CA
ISA acts as an SSL proxy. It requests information from a Server (either internal or external), decrypts the information and examines it, then re-encrypts it and sends it to its final destination.
Also, ISA can exceed pretty much any SSL VPN solution on the market by any metric: price, level of control, application support and security. ISA's VPN gives you a granularity that is a lot better than SSL VPNs, which are limited in application support.
Since an "SSL VPN" is just a way to proxy access to a specific application or applications, this is ISA's bread and butter.
Since an "SSL VPN" is just a way to proxy access to a specific application or applications, this is ISA's bread and butter.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter