You Betcha! ISA + DC == <snicker><chortle><chuckle><GUFFAW> -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, June 21, 2005 6:27 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA on a DC http://www.ISAserver.org Hi Cerebro, Yes, you should have DCs at the branch offices, just not on the firewall. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: cerebro [mailto:cerebro@xxxxxxxxxxxxxxxxx] Sent: Tuesday, June 21, 2005 8:23 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA on a DC http://www.ISAserver.org OK, But do you think it's better to add a domain controller on site 1 near of Isa Server? I prefer to leave DC on Site 2 but I'm not sure if it's necessary for this scenario move a DC to Site 1. Thanks for your reply and help! -----Mensaje original----- De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Enviado el: martes, 21 de junio de 2005 14:00 Para: [ISAserver.org Discussion List] Asunto: [isalist] RE: ISA on a DC http://www.ISAserver.org Hi Cerebro, EXACTLY! Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: cerebro [mailto:cerebro@xxxxxxxxxxxxxxxxx] Sent: Tuesday, June 21, 2005 6:50 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA on a DC http://www.ISAserver.org Hi Tom, Thanks a lot!!! For a moment, I believe amb I going insane!!! Then, The ISA firewall on Site 1 can be a domain member working with Domains Controllers on Site 2? -----Mensaje original----- De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Enviado el: martes, 21 de junio de 2005 13:39 Para: [ISAserver.org Discussion List] Asunto: [isalist] RE: ISA on a DC http://www.ISAserver.org Hi Cerebro, You caught a typo in my message. I meant to say that the ISA firewall on the remote site network can be a *domain member*, NOT domain controller. Sorry about that. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: cerebro [mailto:cerebro@xxxxxxxxxxxxxxxxx] Sent: Tuesday, June 21, 2005 6:37 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA on a DC http://www.ISAserver.org Hi Tom, Why do you say it? Sorry, but I don't understand...... In another mail you say: http://www.ISAserver.org Where have you read this? I wrote a 1100 page book telling you that was NOT true. I have 100+ articles on ISAserver.org and other places telling you this was not true. Don't listen to Cisco reps :) If you have a site to site VPN, the ISA firewall at the remote site can be a domain controller. I do that often and it works a treat. Even have information on how to do it in the ISA/Exchange kit. HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Mensaje original----- De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Enviado el: martes, 21 de junio de 2005 12:00 Para: [ISAserver.org Discussion List] Asunto: [isalist] RE: ISA on a DC http://www.ISAserver.org Do NOT make the ISA firewall part of your server consolidation plan -- don't put it on a DC. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: cerebro [mailto:cerebro@xxxxxxxxxxxxxxxxx] Sent: Tuesday, June 21, 2005 3:13 AM To: [ISAserver.org Discussion List] Subject: [isalist] ISA on a DC http://www.ISAserver.org Hi IsaList, I have the following config: ISP VPN INTERNET <-----> SITE 1 (HOUSING) <----------------> SITE2 SITE 1: Domain Controller Windows 2003STD + Isa Server 2004 SP1 SITE 2: Internal LAN ( Other DC, Exchange, etc.... ) I need to publish Exchange 2003 services (OWA (Form-Based Auth), SMTP, POP3, RPC-over-HTTP), and other web services (intranet, etc..). There is any problem with the config? The Active directory can't replicate. In the firewall policy mode, I add the following protocols to an Rule Action (Allow): DNS Kerberos-Adm (UDP) Kerberos-Sec (TCP) Kerberos-Sec (UDP) LDAP LDAP (UDP) LDAP GC (Global Catalog) NTP (UDP) Ping RPC Endpoint Mapper (TCP 135) Direct Host (TCP 445) I'm not sure I understand fully what it means and what we would need to configure? Thanks for your reply and help! ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cerebro@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cerebro@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cerebro@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.