Hi Tom, I've got the same view that you do on it. There really is not a good reason to not have it in the domain. BUT the audit guys are crazed about systems that talk directly into an internal network and the internet at large. So, any advice for use who need a buffer between production networks and the internet with an ISA array? Even if we really don't want to. Is an array worth the money then or just go with one beefy system as a stand alone? Thanks, Troy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, March 03, 2005 11:41 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 Enterprise is Out http://www.ISAserver.org Hi Troy, If I hear that canard one more time, I'm going to chew the last bag of nails I have :) The fact is, the ISA firewall, even 2000, has never been reported to be compromised. The changes are even slimmer that the 2004 firewall will be compromised. So, i have no compunction at all joining the array to the domain. You could put it in a subdomain, if that's how you have things configured for your branches, but I'll never get over the security wankers (I was formerly one of those wankers, so I have the "ex smoker syndrome" for this situation) saying that there is some sort of supernatural reason why you should join the ISA firewalls to the domain because "something could happen". Of course, if one, JUST ONE, hacker, sec guru, SOMEBODY, would show me how they can leverage an "owned" ISA firewall that is a domain member viz. non-domain member is worse, I'll turn on a time. But if I own the firewall to that extent, it doesn't matter after I install my sniffer on the non-domain member :-) HTH, Tom <http://www.isaserver.org/shinder> www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 <http://tinyurl.com/3xqb7> http://tinyurl.com/3xqb7 MVP -- ISA Firewalls _____ From: TRadtke@xxxxxxxxxxxx [mailto:TRadtke@xxxxxxxxxxxx] Sent: Thursday, March 03, 2005 11:25 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 Enterprise is Out http://www.ISAserver.org Hi Tom, In a domain/child domain infrastructure, where would you put it? ISA2000 in an array was always best served by being in it's own domain with a one way trust to the network behind it, so it's isolated from the rest of the network in case it's compromised some how, yet trusting the internal network so it's manageable. In that form it's been passing S.OX. and G.L.B. compliancy testing and audits. Now I'm seeing you say to toss it into the domain and let it run. Any comments on that so I can see if we need to attack ISA2004EE from a different perspective? Thanks, Troy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, March 03, 2005 10:57 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 Enterprise is Out http://www.ISAserver.org Hi Steve, The primary issues you'll run into are related to a "workgroup" installation, as its not a no-brainer and not for the those who aren't very jiggy with PKI. However, if you make the array a member of the domain, ISA EE is a true pleasure to behold. The integrated NLB feature is fantastic, the integrated logging and reporting is top shelf, and CARP exceptions are icing on the cake. I pity the fool who'd by SonicWall :-)) HTH, Tom <http://www.isaserver.org/shinder> www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 <http://tinyurl.com/3xqb7> http://tinyurl.com/3xqb7 MVP -- ISA Firewalls _____ From: SteveC [mailto:stevec@xxxxxxxxxxx] Sent: Thursday, March 03, 2005 10:51 AM To: [ISAserver.org Discussion List] Subject: [isalist] ISA 2004 Enterprise is Out http://www.ISAserver.org How'd I miss the release of this one? Dr. Shinder, do you have any comments/news/tidbits on it before I dive in? Thanks. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx -- <http://www.atomic9.net/public> http://www.atomic9.net/public ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tradtke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tradtke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx