On Wed, 2005-11-16 at 13:24 -0800, M W wrote: > I would argue that the firewall appliance might be the better option > from a functional point of view. Most companies block all outbound > ports on their firewall, except for port 80 / 443. I believe > Microsoft ISA requires port 80, leaving the actual HTTP website on > port 81 (or any other port of their choosing). I've seen a handful of > instances where internal users can't browse to another companies web > application because the ISA firewall used port 80 and the web app is > on port 81. Then it requires a firewall rule allowing that specific > traffic or the user can't browse to the app from inside a corporate > network. > > Not a big deal, but something I've run into. Of course, I'm relying > on the factualness of the other IT administrators I've talked to, who > tell me that Microsoft ISA requires port 80, which required them to > move their web app to another port. > This isn't really correct at all, and if it were true in the scenario you present to us, ISA would be completely useless for any sort of routed/NATted internet access provision.
For starters, ISA doesn't require port 80 open at all; you can have as many (or as few) ports open on the ISA box itself as you wish, the only downside being that the fewer ports you have open, the harder the box becomes to administer. If you're happy administering the box via the local console, you can have zero open ports on the box itself. Secondly, even if ISA required port 80 to be open for administration, this wouldn't require that a webapp were moved to another port. Thirdly, since you seem to be referring to NAtted or routed internet access, what ports the ISA box itself has open specifically don't matter - accepting traffic to the ISA box on port 80 and routing traffic on to other boxes (where the traffic coincidentally has a destination port of 80) are two entirely different things, and are in no way, shape, or form even vaguely mutually exclusive. I can think of two instances in which something vaguely similar to this would be a valid concern, both of which are taking a guess about what you're talking about - one would be a dual-homed (or more) ISA server which published a site in the 'private' network via port 80 in the 'public' network. In this instance, it would be correct to say that you couldn't run a separate instance of a web server either on another host also published via the same port or off the ISA box itself without having more than one IP address on the 'public' network. The other would be if you had a web proxy server running on port 80 and also wanted to present a website to clients on the same port - obviously, for the same reasons as the previous example, you'd require >1 IP address or would have to use nonstandard ports. Both of these scenarios could apply to other firewalls equally well, and are nothing specifically to do with ISA - can you be a little more specific as to exactly 'what you were told'? It's possible that I've misconstrued what you've said (or that you've misconstrued what you were told). Hope this helps! ;) - James. > > Marcos Marrero <[EMAIL PROTECTED]> wrote: > > I think that the main argument for not deploying ISA in an > internet > facing environment is because of the underlying OS; Windows. > > Windows has been under attack for how many years now? I > believe that if > windows is locked down appropriately it can be used as > described above. > > Regards > Marcos Marrero > > > -----Original Message----- > > ********************************************************************** > This Email is intended for the exclusive use of the addressee > only. > If you are not the intended recipient, you should not use the > contents nor disclose them to any other person and you should > immediately notify the sender and delete the Email. > > Lloyds TSB Bank plc is registered in England and Wales Number: > 2065. > Registered office: 25 Gresham Street, London EC2V 7HN. > > ********************************************************************** > > From: Jim Harrison (ISA) [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 15, 2005 5:49 PM > To: James Eaton-Lee; Marcos Marrero > Cc: [email protected] > Subject: RE: ISA Server or Firewall Appliance? > > This: > " The only last point I'd make is that I'd be hesitant in > deploying ISA > in an internet facing role (although I do and have done that > before) - > but I don't really have a justification for this aside from > "it just > doesn't feel quite right". > " > > ..statement is something that is expressed fairly often, but > fortunately > has not a single grain of substance to it. To James' credit, > he does > qualify his hesistation... > I know it sounds like marketing spew, but the simple fact is; > in 5+ > years of service on anything from an SBS server, OEM appliance > to HUGE > enterprise deployments, ISA server has the distinction of not > having > been the recipient of one single exploit in the wild. > > Yes; we've shipped patches for it and the odds are > (realistically > speaking), we may well do so again. So do Cisco, Juniper, et > al and we > don't hear the "just doesn't feel right" when they need > patching. > > Contrast this with literally *no other* firewall maker > (truthfully) > making this claim and you have quite a piece of information at > your > disposal when you present your options in CxO-land. > > Jim Harrison > Security Platform Group (ISA SE) > If We Can't Fix It - It Ain't Broke! > > > > This email has been scanned for all viruses by the MessageLabs > SkyScan > service. > > > --------------------------------------------------------------------------- > > --------------------------------------------------------------------------- > > > > > ______________________________________________________________________ > Yahoo! FareChase - Search multiple travel sites in one click. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
