Nope - they are using iCode as their backside (not entirely familiar with its internals) for the e-commerce, but both web & database servers will be behind the ISA firewall with HTTP & SSL published through the firewall. Internal client internet access and mail will not be going through ISA - it is only for VPN entrance from remote branch/user endpoint and secure web publishing. -----Original Message----- From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx] Sent: Thursday, August 02, 2001 3:06 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server & AD http://www.ISAserver.org My main concern with controllers as the web server is that they can also easily (in many cases) be compromised as well. Unicode, bufferoverruns, etc can expose the web server to remote exploit and you are in the same boat. Is the DB server on the Internet? If not, then I would rather put it on that guy than the web server. At least a compromise will have to move inside to get to the good stuff. What is the DB engine? SQL? You can secure SQL pretty easily... Plus, the SQL service can easily be run as guest, where inetinfo.exe is Local System. AD