Hi Brian, You use RRAS packet filters and IPSec Policies to create a LAT-based DMZ. But remember, its NOT a real DMZ if you put private assets into it. Its like me putting my ex-mother in law in the Korean DMZ. Hmmm. well, that's not the best analogy, but you know what I mean. A DMZ is design as an entirely separate and distinct security zone that if compromise has no effect on your protected assets. Extending the private network's security zone into the DMZ entirely breaks the underpinnings of the DMZ concept. At that point all you have is a "screened subnet", not a DMZ. HTH, Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: Rogers, Brian [mailto:RogersB@xxxxxxxxxxxxxx] Sent: Thursday, July 10, 2003 3:02 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: AD in DMZ http://www.ISAserver.org That doesn't make any sense. So ISA cant be a member of the internal domain on the DMZ Nor can it be a member of a separate trusted forest in the DMZ?? What the hell are you supposed to do with it then? On a side note...this seems a bit silly...as currently this is how our production environment exists (albeit on NT4 and not AD). I also have two separate forests in the lab (dmz with ISA on one) internal network on the other. The KB article doesn't say it wont work...it just says it isn't supported. Nice -----Original Message----- From: PETER PAPE [mailto:papexpjboi@xxxxxxx] Sent: Thursday, July 10, 2003 3:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: AD in DMZ http://www.ISAserver.org Just to make things a little more interesting, check out Microsoft KB 329807 http://support.microsoft.com/?id=329807 If I read/understand this correctly, ISA Server does not support the forest or member server residing in the DMZ. That is assuming that ISA server will seperate your Public DMZ from the internal network:).