Re: PIX DMZ and ISA server
From: Scott Lowe (me_at_privacy.net)
Date: Mon, 17 Jan 2005 15:34:42 -0500
On 2005-01-08 22:55:24 -0500, <firstname.lastname@example.org> said:
> What is the best location for the ISA external interface?
> Currently we have the external interface of the ISA server in a dmz behind a
> pix firewall. The internal interface is on the internal lan. Is this the
> best architexure or is their a better way of doing it?
If installing ISA in integrated mode (two NICs), then proceed as you
have suggested, keeping in mind how the PIX NAT rules/access lists and
the ISA NAT/publishing rules will interact.
if installing ISA in cache mode (single NIC), then also install it in
the DMZ. You then need only to consider the PIX's NAT rules and
I would also strongly urge you to investigate the use of products such
as Apache (with mod_ssl, mod_security, etc.) in place of ISA. This
solution can offer much of the same functionality (with regards to
protecting web servers) without any licensing costs. There is a
learning curve, but (IMHO, as one who has been along that curve) it is
-- Scott Lowe