Hi Jim, I'd say the Trust across firewalls issue is a 100% miss situation. We've tried to make this work for over a month, trying everything in the KB and it just does not work. Problems with NAT, Kerberos tickets, RPCs, you name it. VPN is the only way to go. We have an excellent article coming out next week on how to do this, thanks to the excellent work of Jay S. Tom www.isaserver.org/shinder Thomas W Shinder, M.D., MCSE, MCT -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, September 13, 2001 12:14 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Arrays not part of domain + Surrogate Sockets http://www.ISAserver.org Inline... Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "VEITCH,NICHOLA (HP-UnitedKingdom,ex1)" <nichola_veitch@xxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, September 13, 2001 10:05 Subject: [isalist] Re: Arrays not part of domain + Surrogate Sockets http://www.ISAserver.org Hi Jim, To clarify... I need to create a new domain for the ISA servers in the DMZ. * Yes; but beware the "trust across firewalls" issue; there are some KB's on the subject, but it's a very hit-and-miss proposition. For ISA to listen for incoming connections on the ISA Server for each mapping defined it needs to be installed in FW/integrated mode. * That depends on the incoming connection type. If it a web protocol, then no. If it's for any other protocol, then yes. Thanks for your help. -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 13 September 2001 17:21 To: [ISAserver.org Discussion List] Subject: [isalist] Re: Arrays not part of domain + Surrogate Sockets http://www.ISAserver.org Inline... Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: <nichola_veitch@xxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, September 13, 2001 07:55 Subject: [isalist] Arrays not part of domain + Surrogate Sockets http://www.ISAserver.org Can anyone clarify whether an ISA server array can be set up that is not part of the domain. They are in the DMZ. Do I need to set up a Domain just for these ISA servers? * ISA arrays absolutely depend on W2K AD structure. You don't get them any other way. ALSO... Can ISA Server fulfill the following functionality of Surrogate Sockets: Define static mappings through your ISA - either inbound or outbound. * Yes; on a per-protocol basis. RRAS is needed to hav "all allowed inbound" Limit by client IP address which clients can connect to each mapping. * Absolutely Can ISA listen for incoming connections on the ISA Server for each mapping defined? * That's the basis of server publishing. Many Thanks ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: nichola_veitch@xxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')