Re: PIX DMZ and ISA server

From: Scott Lowe (
Date: 01/17/05

Date: Mon, 17 Jan 2005 15:34:42 -0500

On 2005-01-08 22:55:24 -0500, <> said:

> What is the best location for the ISA external interface?
> Currently we have the external interface of the ISA server in a dmz behind a
> pix firewall. The internal interface is on the internal lan. Is this the
> best architexure or is their a better way of doing it?

If installing ISA in integrated mode (two NICs), then proceed as you
have suggested, keeping in mind how the PIX NAT rules/access lists and
the ISA NAT/publishing rules will interact.

if installing ISA in cache mode (single NIC), then also install it in
the DMZ. You then need only to consider the PIX's NAT rules and
access-list entries.

I would also strongly urge you to investigate the use of products such
as Apache (with mod_ssl, mod_security, etc.) in place of ISA. This
solution can offer much of the same functionality (with regards to
protecting web servers) without any licensing costs. There is a
learning curve, but (IMHO, as one who has been along that curve) it is
worth it.


Scott Lowe