1. The question of VPN authentication is more one of how you define that process than whether or not ISA live in or trusts the authenticating domain. You can use NTLM or RADUIS, as you choose. 2. The question of CITRIX access is one of long debate, but I've seen many folks have success with that. You won't get an "all open" inbound rule for any internal host. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Pete Afrasiabi" <PAfrasiabi@xxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, January 30, 2002 11:49 Subject: [isalist] Re: ISA Server Best Practices-Joining an internal N T Domain http://www.ISAserver.org 1- Will I lose any inherent ISA functionality by setting up this seperate AD Domain and establishing trust trelationships, like pass through authentication for VPN or otherwise. 2- Also on the ONE to ONE NAT issue, is it true that I can not perform a NAT to an internal server like a citrix server. If I am using a Citrix NFUSE server in my DMZ will the external client be able to redirect to my internal server? Thanks Pete -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, January 29, 2002 5:43 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server Best Practices-Joining an internal NT Domain http://www.ISAserver.org Given the choice and the resources, build a separate domain for ISA and trust the internal domain. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Pete Afrasiabi" <PAfrasiabi@xxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, January 29, 2002 16:35 Subject: [isalist] ISA Server Best Practices-Joining an internal NT Domain http://www.ISAserver.org Trying to figure out whether it makes sense to add my ISA server to my internal domain or just create a new domain and establish trust relationships with my existing. I understand that there may some risk exposing my internal AD to the outside world, even though its presumably being protected by ISA. Any feedbacks would be appreciated. Pete ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pafrasiabi@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')