Re: Strange setup

[Mark Tinberg <mtinberg () securepipe com>]

On Thu, 26 Feb 2004, franco segna wrote:

> I'm being confronted with the following existing setup:

Internet -- SonicWall-------------\
                    |              >- LAN
                    |--- MS ISA --/ 

> The system is up and running, but I cannot understand the bypassing of
> the ISA server through the direct connection firewall/LAN. And the
> meaning of DMZ seems to be lost. Anyone can help me to understand the
> matter ? Thanks in advance

I've seen this setup many times, and if it weren't for the SonicWall I 
could have thought this was one of my customers.  The likely reason for 
this setup is that they have replaced the MS ISA server as their firewall 
with the SonicWall, but like the http proxy, authentication and reporting 
features of the MS ISA server (which they already purchased) and so are 
keeping it running.  MS ISA (formerly known as MS SOCKS proxy) requires 
that it be dual-homed and have routing enabled for the software to 
function.  Even if it is just being used as an http proxy it needs to have 
two interfaces on seperate networks and route between them.  So the 
SonicWall has a stub network to make the ISA server happy, the clients get 
to use the ISA servers authenticating httpproxy which makes them happy and 
they still get their nice reports which makes the managers happy.  I would 
guess that all other traffic (mail, custom apps, etc.) goes through the 
SonicWall only.

--
Mark Tinberg
Network Security Engineer
SecurePipe, Inc.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards