Inline... Jim Harrison MCP(NT4, 2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ ----- Original Message ----- From: "Iain Peirse" <Iain.Peirse@xxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, November 29, 2001 01:17 Subject: [isalist] A theory on Domain membership. http://www.ISAserver.org Heres one (apologies if I'm behind the times): Imagine an ISA server setup, for simplicity a single ISA server publishing services to/from a private LAN. The internal Windows 2000 domain includes every server as a member _except_ ISA. ISA has its own domain. Theres a one way trust between the W2K domain and the ISA domain. ISA trusts W2K, W2K doesnt trust ISA. My theory is that if the ISA server is compromised that it has no rights over the main W2K domain. My questions: Do you believe this logic is correct? * Yes, it is. Will it work? * Yes, it does (built several) Is it worth it? (ie. If the ISA were compromised in this situation would it be any different to if ISA were a member of the main domain?) * Absolutely! Givent the choice, it's better to lose your edge domain than the one that everyone depends on. Has anyone got a similar working setup? vbr, Iain. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')