Great Point ... -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, July 10, 2003 4:47 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: AD in DMZ http://www.ISAserver.org Hi Brian, You use RRAS packet filters and IPSec Policies to create a LAT-based DMZ. But remember, its NOT a real DMZ if you put private assets into it. Its like me putting my ex-mother in law in the Korean DMZ. Hmmm. well, that's not the best analogy, but you know what I mean. A DMZ is design as an entirely separate and distinct security zone that if compromise has no effect on your protected assets. Extending the private network's security zone into the DMZ entirely breaks the underpinnings of the DMZ concept. At that point all you have is a "screened subnet", not a DMZ. HTH, Thomas W Shinder <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp -----Original Message----- From: Rogers, Brian [mailto:RogersB@xxxxxxxxxxxxxx] Sent: Thursday, July 10, 2003 3:02 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: AD in DMZ http://www.ISAserver.org That doesn't make any sense. So ISA cant be a member of the internal domain on the DMZ Nor can it be a member of a separate trusted forest in the DMZ?? What the hell are you supposed to do with it then? On a side note...this seems a bit silly...as currently this is how our production environment exists (albeit on NT4 and not AD). I also have two separate forests in the lab (dmz with ISA on one) internal network on the other. The KB article doesn't say it wont work...it just says it isn't supported. Nice -----Original Message----- From: PETER PAPE [ mailto:papexpjboi@xxxxxxx <mailto:papexpjboi@xxxxxxx> ] Sent: Thursday, July 10, 2003 3:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: AD in DMZ http://www.ISAserver.org <http://www.ISAserver.org> Just to make things a little more interesting, check out Microsoft KB 329807 http://support.microsoft.com/?id=329807 <http://support.microsoft.com/?id=329807> If I read/understand this correctly, ISA Server does not support the forest or member server residing in the DMZ. That is assuming that ISA server will seperate your Public DMZ from the internal network:). ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')