Beware Poor Designs – Bad Things Can Happen

Working and writing about ISA and TMG firewalls has to be one of the most fun things a Microsoft security specialist can do. Why? Because unlike other products, ISA and TMG firewalls can be configured to work in an almost unlimited number of deployment scenarios. For each scenario, the ISA or TMG firewall brings in a number of options and settings that you have to understand and think about, so that you have the optimal configuration to meet the deployment’s design goals.image

Most of the designs I run into are well thought out and are based on rational functional and security requirements. However, there is a collection of designs that should be avoided at all costs, not only from a functional point of view, but because they don’t enhance security and increase complexity. In fact, many of them reduce the overall security posture of your ISA or TMG firewall deployment.

This collection of bad designs fits into the “sandwich” family of ISA/TMG firewall topologies. A sandwich design is one where the ISA or TMG firewall is placed between two layer 3 firewalls (yes, i know it makes no sense from a technical or security point of view, but they are more common than a reasonable man would suspect).

Two of the most common sandwich designs are:

  • Hork Mode Sandwich – this is when a unihomed ISA or TMG firewall is placed between two layer 3 firewalls, putatively to “protect” the internal network from the firewall (yes, I know it doesn’t make sense, but you have to realize there are political and psychological issues here, and we don’t get paid to be psychiatrists or politicians)
  • Hork Mode on a Stick Sandwich – this one is even more insane, and is shown in the figure below. This design probably was probably inspired by a Cisco admin’s experiments with Lysergic Acid Diethylamide



Whatever the reason, sandwich designs are like canaries in the mine – when you see one, you know that something bad has happened, is happening, or is going to happen.

For an example (and this is just one example, there are many many reasons why sandwich designs should be avoided), check out Yuri Diogenes article on a flummoxed sandwich deployment over at:



Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting

PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top