1. The discussion is regarding TS App mode; not Admin mode. The users have local login rights and are apparently administrators as well, since they can successfully install the FW client. This is the core of future pain and heartache. 2. ISA as a domain member or controller is not really important; TS operating as "high encryption" is as cryptographically secure as a VPN. The critical difference between them is a TS protocol vuln that was discovered and patched a year ago. 3. Terminal services on all Windows machines listen to all interfaces by default. Installing ISA doesn't not change anything. Overall, I agree; TS Admin mode is great for remote ISA manglement, but TS App mode for the lusers on the ISA / DC is a nightmare that you'll never wake up from. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Glenn Maks" <gmaks@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, September 17, 2003 05:46 Subject: [isalist] RE: ISA server cannot connect to Internet http://www.ISAserver.org I would not be so quick to bash Terminal Services in Administration mode on a Microsoft ISA server, as a matter of fact Microsoft suggests this as a means for remote administration of the ISA server if your ISA server is installed as a stand a lone server outside of a Active Directory Domain. To put your worries to rest, Terminal Services installed on a ISA Server will answer only from a Internal Interface, NOT the public interface, in addition, there are ways to allow and deny by specific IP addresses, which will further secure attempted access if people discover that Terminal Services are running. Speaking for myself I know I would NOT want to drive into work at 1:00 AM if I got a service call and had to look at the ISA server to resolve the problem ... think about it. -----Original Message----- From: Troy Armour [mailto:troy@xxxxxxxxxx] Sent: Tuesday, September 16, 2003 4:47 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA server cannot connect to Internet http://www.ISAserver.org I didn't ask for a debate on the what should or shoudl not be done? But its the small business server server-so you're telling me then when i install the server i cant install exchange because i'm installing the ISA option-hmmmm? funny one that really when it all comes bundled together as it does? anyways i didn't really ask to be ridiculed. SBS is designed for this sort of setup-this company doesn't have the budget to put 2 servers in-then they couldn't run SBS anyway. they have 10 users-and some of them have to have install rights as thats just the way it goes in 2 office companys. can someone just answer the question if they have any ideas-i haven't seen this problem before. thanks troy ----- Original Message ----- From: Steve Moffat <mailto:steve@xxxxxxxxxxxxxxxxxxxxxxxxxx> To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx> Sent: Monday, September 15, 2003 10:32 PM Subject: [isalist] RE: ISA server cannot connect to Internet http://www.ISAserver.org <http://www.ISAserver.org> You are kidding, Terminal Server on a firewall????....lol...heard everything now. Not even locked down so clients can install their own software....rotflol Uninstall ISA, get separate hardware and reinstall it. NOTHING should be installed on a firewall. Steve _____ From: Troy Armour [mailto:troy@xxxxxxxxxx] Sent: Monday, September 15, 2003 3:26 PM To: Isa Weblist http://www.ISAserver.org hi everyone just popped over from exchange list with a wee ISA query. i have a company that use ISA server sitting on windows 2000 terminal services. only the administrator can go online from a a terminal. everything was working fine up until a week ago then all stopped-i did notice that one of the users had installed the firewall client on his terminal session-i remember reading somewhere that this is never to be done. what i get now is when a user tries to access a web page he/she gets finding www.website.com <http://www.website.com> then the IP address and then nothing-and the error returned is not an ISA server error. i'm not new to this but his has me stumped. i've all the usual settings correct-but i'm obviously missing something-i uninstalled the firewall client incase it was that but still no joy-id appreciate anyone shedding some light..... a frustrated irish paddy ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: steve@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: troy@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') _____ This E-Mail is confidential. It is not intended to be read, copied, disclosed or used by any person other than the recipient named above. Unauthorised use, disclosure, or copying is strictly prohibited and may be unlawful. Optimum IT Solutions disclaims any liability for any action taken in connection of this E-Mail. The comments or statements expressed in this E-Mail are not necessarily those of Optimum IT Solutions or its subsidiaries or affiliates. <mailto:administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx> administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx _____ ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*