Frequently Asked Questions - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید


















Frequently Asked Questions




The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the 'Ask the Author' form. You will also gain access to thousands of other FAQs at ITFAQnet.com.




Q: I tried to create an Access Rule allowing connections from Internal to External Networks on my unihomed ISA firewall, but the rule didn't work. What's up with that?




A: The unihomed ISA firewall does not have a default External Network. The reason for this is that all IP addresses in the IPv4 address range (except for those in the local host network ID) are considered part of the default Internal Network. If you want to create Access Rules from hosts on the corporate network to any other host, the rule should be from Internal Network to Internal Network. We highly recommend that you deploy the ISA firewall as a multihomed firewall so that the ISA firewall can provide comprehensive network-based firewall protection.




Q: Do I have to install a DNS and DHCP server on the ISA firewall?




A: No. You do not need to install a DNS server or a DHCP server on the ISA firewall. In this chapter, we included a sample configuration where the ISA firewall acted as both a DNS and DHCP server. This configuration allowed the ISA firewall to simulate functionality provided by many simple packet filter-based small business firewalls. However, if you have a DNS server or DHCP server on your corporate network, you do not need to install the DNS or DHCP server on the ISA firewall.




Q: I tried to migrate my ISA Server 2000 configuration to ISA 2004, but the migration failed. Why?




A: There are a number of reasons for the migration process to fail. Failed migrations are most commonly seen when doing an in-place upgrade. We recommend that you document your current ISA Server 2000 settings and then replicate those settings on a fresh ISA firewall installation. However, if you wish to do an in-place upgrade, or if you want to migrate your ISA Server 2000 settings using the ISA migration tool, you should read the ISA Server 2004 Help file and learn the details of how the migration process works and what features are and are not supported when migrating from ISA Server 2000 to the new ISA firewall.




Q: What can network clients do when the firewall is in lockdown mode? Will intruders be able to attack the network or the firewall when it's in lockdown mode?




A: Intruders will not be able to attack your network when the ISA firewall is in lockdown mode. No new connections will be established through the ISA firewall during lockdown. Existing connections will not be disconnected, though. The ISA firewall enters lockdown mode when the firewall service fails. Lockdown mode is an example of how the ISA firewall 'fails closed.'




Q: Do I have to use a split-DNS infrastructure? I already have a domain with the dreaded .local top-level domain.




A: You never need to use a split-DNS infrastructure. However, a split-DNS infrastructure will greatly simplify life for your users who move between the corporate network and remote locations. While it would be easier to implement a split-DNS infrastructure when your internal domain name is also accessible from external locations, this is not a hard-coded requirement. For example, if your internal domain is domain.local, you can create a public domain named domain.com. Then you can create a forward lookup zone on your internal DNS servers for the domain.com domain. You then create a resource recorded in the domain.com domain that match the resources your remote users would use to access internal resources via Web and Server Publishing Rules on the ISA firewall. Both external and internal users would access resources using the same name, such as owa.domain.com, but the external DNS zone would resolve the name to the public address on the ISA firewall used to publish the site, while the internal zone would have resource records resolve owa.domain.com to the actual internal address of the OWA site on the corporate network.




Q: I have multiple network IDs on my corporate network. Do I have to create separate networks for all of them?




A: No. Remember that all IP addresses located behind a specific NIC are part of the same ISA firewall Network. For example, if you have five network IDs behind the same interface on the ISA firewall, the ISA firewall sees all those network IDs as part of the same Network (with a capital 'N' indicating an ISA Network). You can create subnet objects or address set objects to group your network IDs if you need to exert access controls on the ISA firewall using those network IDs.




/ 145