Hi, David. There are a couple of flaws with this as I see it in this situation. First if the Corp Domain trusts the ISA domain, then anyone who compromises your ISA box is automatically (for all intents and purposes) trusted by the Corp Domain. I see this as a bad thing. Second there is no way to trust the internet as it is not a domain, so this part of the discussion is basically moot. However, if it were the other way around, the ISA domain were to trust the Corp Domain, then the internal users of the Corp domain would have access to ISA resources. Since this is a one way trust, if your ISA box was compromised the attacker would not automatically have access to internal Corp Domain resources. Now, the question is does this really add more security, or just more complication? If you were just to have a Stand Alone ISA server and then a member server in a back to back deployment (The standalone exposed to the internet) gives me pretty much the same amount of security without the complication of external forest trusts. Of course YMMV. Kevin -----Original Message----- From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx] Sent: Saturday, August 09, 2003 2:51 PM To: [ISAserver.org Discussion List] Subject: [isalist] Domain stucture to add more security protection http://www.ISAserver.org Hi everyone, I was wondering if cost was not a factor and design the perfect Windows 2000/2003 environment. Would it be wised to create a resource domain specifically for ISA/VPN and create a External - One-Way - Non-Transitive Trust. I remember someone asking this and I can't remember if it was answered. Corp Domain <---trust--- ISA Domain <---- Internet Corp Domain trusts ISA Domain, ISA Domain does not automatically trust Corp Domain. In a non-transitive trust relationship, if Corp Domain trusts ISA Domain and ISA Domain trusts the Internet, Corp Domain not automatically trust the Internet. Regards, David V. Dellanno - MCSE, MCP+I, MCP MSDEMO Consultants Williams Place 2564 Bridgewood Lane Snellville, Georgia 30078 USA (770) 736-8794 (Office) msdemo.net Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: kevin@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')