[isapros] Re: TMG - Separate Forest?
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Mon, 12 May 2008 09:29:43 -0500
Exactly. The guidance as is applies to people who wear hard hats when
they go outside out of fear that a falling piece from a passing airplane
will hit them on their heads. :)
MSIT does it right, and I follow MSIT's model in my deployments. Why
lose Kerberos Constrained Delegation and other security features out of
fear of Comet strikes in the Gulf of Mexico? :))
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of Jim Harrison
> Sent: Monday, May 12, 2008 8:21 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
>
> Actually, that "old-school approach" does limit the threat of exposure
for your internal
> forest. It's not about "if ISA gets compromised" as much as "if an
account is
> compromised".
> If you have the skill and means to build that and can tolerate the
limits it imposes (no
> KCD from the edge), then this is a good recommendation.
> What isn't stated is that this can be one part of a layered ISA
deployment.
> FWIW, MSIT deploys ISA / TNG at the edge in the same forest as the
user accounts.
>
> Jim
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of Jason Jones
> Sent: Monday, May 12, 2008 1:13 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] TMG - Separate Forest?
>
> Just noticed this in the current TMG documentation...disappointed this
old school
> approach is still recommended :-(
>
> "At the edge, you can install Forefront TMG as a domain member or in
workgroup
> mode. As a domain member, we recommend that you install Forefront TMG
in a
> separate forest (rather than in the internal forest of your corporate
network), with a
> one-way trust to the corporate forest. This may help the internal
forest from being
> compromised, even if an attack is mounted on the forest of the
Forefront TMG
> computer. There are some limitations with this deployment. For
example, you can
> configure client certificate authentication only for users defined in
the Forefront TMG
> domain, and not for users in the corporate internal domain or forest."
>
> You guys spent much time looking at TMG yet?
>
> JJ
>
>
>
>
> ________________________________
> This email and any files transmitted with it are confidential and
intended solely for the
> use of the individual to whom it is addressed. If you have received
this email in error,
> or if you believe this email is unsolicited and wish to be removed
from any future
> mailings, please contact our Support Desk immediately on 01202 360360
or email
> helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is
valid for 7 days and
> offered subject to Silversands Professional Services Terms and
Conditions, a copy of
> which is available on request. Any pricing information, design
information or
> information concerning specific Silversands' staff contained in this
email is
> considered confidential or of commercial interest and exempt from the
Freedom of
> Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do
not necessarily
> represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
>
Other related posts:
