Re: AD in DMZ
- From: "Deus, Attonbitus" <Thor@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 10 Jul 2003 13:33:16 -0700
At 01:03 PM 7/10/2003, you wrote:
http://www.ISAserver.org
Exactly...so no sensible person would put a DMZ domain as part of their
internal forest.
Now..about that KB article..it would seem that a trust (forest or
downlevel domain) isn't supported between the DMZ and the internal domain.
What is microsofts SUGGESTED plan of action for a DMZ then? This is silly.
A separate forest, managed from within the DMZ-- Personally, I would not
set up any type of trust between the DMZ assets and my internal assets- one
way, or otherwise, even if it were supported. I would never have any sort
of retrievable credential exist on a DMZ unit that could be used on my
internal network. And I would not allow the required traffic through
either. In fact, in my back-to-back ISA DMZ, I don't even have a domain
controller in the DMZ- each box is a member server with distinct admin
accounts. Yes, harder to admin, but if a box in the DMZ gets owned,
they'll have to work at the other ones, and by that time I'd know about it-
Then again, I don't have that many servers in the DMZ...
t
Other related posts: