Re: AD in DMZ
- From: Glenn Maks <gmaks@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 11 Jul 2003 08:13:55 -0400
Great Point ...
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, July 10, 2003 4:47 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: AD in DMZ
http://www.ISAserver.org
Hi Brian,
You use RRAS packet filters and IPSec Policies to create a LAT-based DMZ.
But remember, its NOT a real DMZ if you put private assets into it. Its like
me putting my ex-mother in law in the Korean DMZ. Hmmm. well, that's not the
best analogy, but you know what I mean. A DMZ is design as an entirely
separate and distinct security zone that if compromise has no effect on your
protected assets. Extending the private network's security zone into the DMZ
entirely breaks the underpinnings of the DMZ concept. At that point all you
have is a "screened subnet", not a DMZ.
HTH,
Thomas W Shinder
<http://www.isaserver.org/shinder> www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1>
Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp
-----Original Message-----
From: Rogers, Brian [mailto:RogersB@xxxxxxxxxxxxxx]
Sent: Thursday, July 10, 2003 3:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: AD in DMZ
http://www.ISAserver.org
That doesn't make any sense.
So ISA cant be a member of the internal domain on the DMZ
Nor can it be a member of a separate trusted forest in the DMZ??
What the hell are you supposed to do with it then?
On a side note...this seems a bit silly...as currently this is how our
production environment exists (albeit on NT4 and not AD).
I also have two separate forests in the lab (dmz with ISA on one) internal
network on the other.
The KB article doesn't say it wont work...it just says it isn't supported.
Nice
-----Original Message-----
From: PETER PAPE [ mailto:papexpjboi@xxxxxxx <mailto:papexpjboi@xxxxxxx> ]
Sent: Thursday, July 10, 2003 3:23 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: AD in DMZ
http://www.ISAserver.org <http://www.ISAserver.org>
Just to make things a little more interesting, check out Microsoft KB 329807
http://support.microsoft.com/?id=329807
<http://support.microsoft.com/?id=329807>
If I read/understand this correctly, ISA Server does not support the forest
or member server residing in the DMZ. That is assuming that ISA server will
seperate your Public DMZ from the internal network:).
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmaks@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
