Re: AD in DMZ

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 10 Jul 2003 15:46:52 -0500

Hi Brian,
 
You use RRAS packet filters and IPSec Policies to create a LAT-based
DMZ. But remember, its NOT a real DMZ if you put private assets into it.
Its like me putting my ex-mother in law in the Korean DMZ. Hmmm. well,
that's not the best analogy, but you know what I mean. A DMZ is design
as an entirely separate and distinct security zone that if compromise
has no effect on your protected assets. Extending the private network's
security zone into the DMZ entirely breaks the underpinnings of the DMZ
concept. At that point all you have is a "screened subnet", not a DMZ.
 
HTH,
 
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>  
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp> 

 

        -----Original Message-----
        From: Rogers, Brian [mailto:RogersB@xxxxxxxxxxxxxx] 
        Sent: Thursday, July 10, 2003 3:02 PM
        To: [ISAserver.org Discussion List]
        Subject: [isalist] Re: AD in DMZ
        
        
        http://www.ISAserver.org
        
        

        That doesn't make any sense. 

        So ISA cant be a member of the internal domain on the DMZ 

        Nor can it be a member of a separate trusted forest in the DMZ??


        What the hell are you supposed to do with it then? 

        On a side note...this seems a bit silly...as currently this is
how our production environment exists (albeit on NT4 and not AD).

        I also have two separate forests in the lab (dmz with ISA on
one) internal network on the other. 

        The KB article doesn't say it wont work...it just says it isn't
supported. 

        Nice 




        -----Original Message----- 
        From: PETER PAPE [mailto:papexpjboi@xxxxxxx] 
        Sent: Thursday, July 10, 2003 3:23 PM 
        To: [ISAserver.org Discussion List] 
        Subject: [isalist] Re: AD in DMZ 

        http://www.ISAserver.org 


        Just to make things a little more interesting, check out
Microsoft KB 329807 

        http://support.microsoft.com/?id=329807 

        If I read/understand this correctly, ISA Server does not support
the forest 
        or member server residing in the DMZ.  That is assuming that ISA
server will 
        seperate your Public DMZ from the internal network:). 

Other related posts:

• » AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ
• » Re: AD in DMZ

1. Home
2. isalist
3. Archive
4. 07-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---