Exactly. The guidance as is applies to people who wear hard hats when they go outside out of fear that a falling piece from a passing airplane will hit them on their heads. :) MSIT does it right, and I follow MSIT's model in my deployments. Why lose Kerberos Constrained Delegation and other security features out of fear of Comet strikes in the Gulf of Mexico? :)) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > Of Jim Harrison > Sent: Monday, May 12, 2008 8:21 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: TMG - Separate Forest? > > Actually, that "old-school approach" does limit the threat of exposure for your internal > forest. It's not about "if ISA gets compromised" as much as "if an account is > compromised". > If you have the skill and means to build that and can tolerate the limits it imposes (no > KCD from the edge), then this is a good recommendation. > What isn't stated is that this can be one part of a layered ISA deployment. > FWIW, MSIT deploys ISA / TNG at the edge in the same forest as the user accounts. > > Jim > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > Of Jason Jones > Sent: Monday, May 12, 2008 1:13 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] TMG - Separate Forest? > > Just noticed this in the current TMG documentation...disappointed this old school > approach is still recommended :-( > > "At the edge, you can install Forefront TMG as a domain member or in workgroup > mode. As a domain member, we recommend that you install Forefront TMG in a > separate forest (rather than in the internal forest of your corporate network), with a > one-way trust to the corporate forest. This may help the internal forest from being > compromised, even if an attack is mounted on the forest of the Forefront TMG > computer. There are some limitations with this deployment. For example, you can > configure client certificate authentication only for users defined in the Forefront TMG > domain, and not for users in the corporate internal domain or forest." > > You guys spent much time looking at TMG yet? > > JJ > > > > > ________________________________ > This email and any files transmitted with it are confidential and intended solely for the > use of the individual to whom it is addressed. If you have received this email in error, > or if you believe this email is unsolicited and wish to be removed from any future > mailings, please contact our Support Desk immediately on 01202 360360 or email > helpdesk@xxxxxxxxxxxxxxxxx > > If this email contains a quotation then unless otherwise stated it is valid for 7 days and > offered subject to Silversands Professional Services Terms and Conditions, a copy of > which is available on request. Any pricing information, design information or > information concerning specific Silversands' staff contained in this email is > considered confidential or of commercial interest and exempt from the Freedom of > Information Act 2000. > > Any view or opinions presented are solely those of the author and do not necessarily > represent those of Silversands > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > Company Registration Number : 2141393. > >