[isapros] Re: TMG - Separate Forest?

Exactly. The guidance as is applies to people who wear hard hats when
they go outside out of fear that a falling piece from a passing airplane
will hit them on their heads. :)

MSIT does it right, and I follow MSIT's model in my deployments. Why
lose Kerberos Constrained Delegation and other security features out of
fear of Comet strikes in the Gulf of Mexico? :))

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)


> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of Jim Harrison
> Sent: Monday, May 12, 2008 8:21 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
> 
> Actually, that "old-school approach" does limit the threat of exposure
for your internal
> forest.  It's not about "if ISA gets compromised" as much as "if an
account is
> compromised".
> If you have the skill and means to build that and can tolerate the
limits it imposes (no
> KCD from the edge), then this is a good recommendation.
> What isn't stated is that this can be one part of a layered ISA
deployment.
> FWIW, MSIT deploys ISA / TNG at the edge in the same forest as the
user accounts.
> 
> Jim
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of Jason Jones
> Sent: Monday, May 12, 2008 1:13 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] TMG - Separate Forest?
> 
> Just noticed this in the current TMG documentation...disappointed this
old school
> approach is still recommended :-(
> 
> "At the edge, you can install Forefront TMG as a domain member or in
workgroup
> mode. As a domain member, we recommend that you install Forefront TMG
in a
> separate forest (rather than in the internal forest of your corporate
network), with a
> one-way trust to the corporate forest. This may help the internal
forest from being
> compromised, even if an attack is mounted on the forest of the
Forefront TMG
> computer. There are some limitations with this deployment. For
example, you can
> configure client certificate authentication only for users defined in
the Forefront TMG
> domain, and not for users in the corporate internal domain or forest."
> 
> You guys spent much time looking at TMG yet?
> 
> JJ
> 
> 
> 
> 
>   ________________________________
> This email and any files transmitted with it are confidential and
intended solely for the
> use of the individual to whom it is addressed. If you have received
this email in error,
> or if you believe this email is unsolicited and wish to be removed
from any future
> mailings, please contact our Support Desk immediately on 01202 360360
or email
> helpdesk@xxxxxxxxxxxxxxxxx
> 
> If this email contains a quotation then unless otherwise stated it is
valid for 7 days and
> offered subject to Silversands Professional Services Terms and
Conditions, a copy of
> which is available on request. Any pricing information, design
information or
> information concerning specific Silversands' staff contained in this
email is
> considered confidential or of commercial interest and exempt from the
Freedom of
> Information Act 2000.
> 
> Any view or opinions presented are solely those of the author and do
not necessarily
> represent those of Silversands
> 
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
> 
>

Other related posts: