Hi Christian, Regardless of your definition of a perimeter network, you CAN NOT have members of the internal network on an external network. External meaning non-LAT. That was the setup I assumed, that he wanted to put domain member machines on a non-LAT segment. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Christian.Schramm@xxxxxxxxxxxxxx [mailto:Christian.Schramm@xxxxxxxxxxxxxx] Sent: Friday, May 23, 2003 3:03 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA in DMZ with authentication by Domain (with DC i n internal network) http://www.ISAserver.org Hi Tom, In my opinion this depends on your definition of a perimeter network. If you mean a perimeter network realized with three NICs on ISA you may be right. But if you have a "normal" ISA installation which maybe is surrounded by another firewall (e.g. paket filter) then you are wrong. I thought on Etiennes post that he is in a latter situation and therefore needs to know which ports exactly has to be opened in the packet filter to log on to a w2k domain. This is described in the link to the KB article I sent yesterday. Greets Christian -----Ursprüngliche Nachricht----- Von: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Gesendet: Freitag, 23. Mai 2003 08:37 An: [ISAserver.org Discussion List] Betreff: [isalist] RE: ISA in DMZ with authentication by Domain (with DC i n internal network) http://www.ISAserver.org Hi Christian, I think you sent the wrong link. You meant to send this one: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329807 HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Christian.Schramm@xxxxxxxxxxxxxx [mailto:Christian.Schramm@xxxxxxxxxxxxxx] Sent: Thursday, May 22, 2003 6:47 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA in DMZ with authentication by Domain (with DC i n internal network) http://www.ISAserver.org hi... http://support.microsoft.com:80/support/kb/articles/Q280/1/32.ASP&NoWebContent=1 Greets Christian -----Ursprüngliche Nachricht----- Von: Etienne Goetynck [mailto:Etienne.Goetynck@xxxxxxx] Gesendet: Donnerstag, 22. Mai 2003 13:20 An: [ISAserver.org Discussion List] Betreff: [isalist] ISA in DMZ with authentication by Domain (with DC in internal network) http://www.ISAserver.org Hi everybody, I have a ISA Server (on W2K srv SP3, stand alone server) in DMZ (not as FW, just Web Publishing). I would like that ISA Server be able to authenticate users of my domain, but DC's ( W2K SRV SP3 ) are in the internal network. Is it possible ? If yes, I suppose that I must open some protocols on the Firewall...but, which ones. Some help or idea's for me ? Thank you in advance. Etienne