Sandwich Mode Insanity Reaches New Levels of Breakage
In my recent article on the insanity of ISA and TMG firewall “sandwich mode designs, I described the problems with sandwich mode and the total lack of reason for this design. Its as if those who put together “sandwich” mode designs throw reason to the wind, cross there fingers and hope for the best, or live in a world of superstition, goblins and ghosts and use various incantations throughout the day to warm off “network evil”.
While this might be true in some cases, I don’t think most admins are so profoundly inept, incompetent or insane. I think that that there are strong fiduciary “ties”, between network teams and hardware vendors. These “ties that bind” end up putting together a mindset that leads to the deployment of extraneous and costly hardware, to the mutual benefit of the hardware vendor and the customer.
While such “marriages of convenience” can be beneficial for the network team and the high-margin hardware firewall vendor, it’s the ISA or TMG firewall, the admin who brought in the ISA or TMG firewall, and the applications that the ISA or TMG firewall protects who suffer from such implicit agreements in cooperation and gratuity.
I bring this up because I’ve read again about another horked up sandwich mode design that causes no end of problems for the ISA firewall.
Take a look at the figure to the right. Who in his right mind puts together such as configuration? What is the point of two network layer firewalls protecting another network layer firewall (the ISA firewall is a network and application layer firewall)?
In this scenario the router, ah, I mean “hardware firewall” broke ActiveSync communications. Of course, the ISA firewall was being blamed for the problem, and as is almost always the case, the ISA firewall was not to blame.
You can see the details of this ActiveSync scenario over on Yuri Diogenes blog at
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer