I've never thought of the IRS and network security together before. I don't think I want to, makes my brain panic. In some ways it's a good analogy though. In both cases we're out here trying to do the right thing while possessing imperfect knowledge about hackers and tax laws. Truth is, if you're an SBS admin you possess imperfect knowledge about everything. We got 6 server apps running on one box (before the business adds any LOB's, backup, anti-virus, etc) and we've got to know enough about each of them to keep them running. Back in the enterprise I was only in charge of Exchange and Netware migration. (Well, OK that annoying unix pbx too but only because no one else would touch it, not because I wanted to.) Which meant that I knew a lot more about those individual technologies. SBS isn't a technology, it's a whole IT infrastructure. SBS is the best thing since the fax machine for small business. We're talking real impact on how these business operate. Maybe Susan's answer about firewall best practice should be "You got a better solution? I didn't think so." It would seem in character. I'm anxious for Centro to come out too. It's killing me that I had to order the medium business bundle for a 200 user client and it doesn't include ISA. They just couldn't wait. It's a pirated software, you call that an active directory, clean up and it's got to be done now. Now, I've got to figure out how I can sell Centro support into medium businesses that already have an IT department. I'm secretly hoping that it turns out to be as easy to screw up as SBS is. Businesses in that size range tend to have PC techs, but not much above that. Amy Harbor Computer Services Small Business Computer Specialists Client Blog: http://smalltechnotes.blogspot.com/ Tech Blog: http://isainsbs.blogspot.com/ Website: http://www.harborcomputerservices.net/ ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, October 14, 2005 9:49 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SBS http://www.ISAserver.org http://www.ISAserver.org Hi Amy, Its not suspending reality, is suspending disbelief. Let me give you an example of how I've been guilty of this. You'll recall that ISA2k had very poor support for DMZ networking. Well, a lot of people, for good reason, wanted to put their front-end Exchange Server on the DMZ network, since the front-end Exchange Server is an Internet facing host, you certainly don't want it on the same security zone as non-Internet facing hosts. The problem was that ISA2k's DMZ support could not allow for a secure DMZ networking solution with strong pre-authentication to the DMZ segment and strong access controls between the DMZ segment and the non-Internet facing security zone. So, what did I do? I said "why would you want to extend your AD into the DMZ"? and "the AD shouldn't be extended into different security zones". Of course I knew this was bunk, but I suspended disbelief, crossed my fingers behind my back, and tried to repeat the phrases so often that I would almost believe them. Of course, now that the ISA firewall supports secure DMZ networking where you can securely place the front-end Exchange Server on the DMZ, the Exchange teams horks (thanks for term, Jim!) their documentation and promulgates b*llsh*t about having to "open too many ports" from the DMZ to the non-Internet facing security zone. Your right about the price point issues, and this isn't the area where there's any suspension of reason or normal network security practices. I don't have any problem accepting that reality and appreciate you get the level of security you can pay for. I also heartily agree that they need to come up with an ISA SKU that supports like 10-20 users and hits the SonicWall, Check Point, and other vendors SOHO/SBS price points. What I'm really referring to are things like this:http://msmvps.com/bradley/archive/2005/10/10/69994.aspx Its OK for her not to like the fact that you need to meet some minimum requirements for a secure requirements, heck, I hate April 14 with a passion. But network security principles and the IRS are realities independent of our wishes and wants. I can't wait until Centro comes out. We're going to have a KILLER centro.org site. All the key components are included and the ISA firewall will be on its own server. Life is going to be good, very good :) Thanks! Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls