RE: ISA server on a DC

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 23 Dec 2003 10:34:11 -0800

Unfortunately, expense is often the primary driving force in deployments.
The questions we get are often over-simplified, and lacking that crucial bit
of information like, "I only have $1.298 to spend, but I need to build a
Google competitor. and protect it with ISA on a Kaypro 2."

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "cismic" <cismic@xxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, December 23, 2003 10:20
Subject: [isalist] RE: ISA server on a DC


http://www.ISAserver.org

How would the setup of this be?

1. External Domain maybe with ISA, DC and external DNS all setup for
security purposes.
2. DMZ with it's own domain
3. Then of course the internal domain.

Not sure if those are good setups or not.  Sometimes the expense of
licensing doesn't permit
The different labs I like to setup.

Joseph

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, December 23, 2003 6:24 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA server on a DC


http://www.ISAserver.org

Hi Phil,

This statement "ISA cannot be installed on NT4 and therefore cannot be
part of an NT4 domain" is incorrect.

While it's true that ISA can't be installed on an NT4 box, there's
nothing that prevents Windows 2000 or Windows 2003 from joining an NT4
domain.

Of all the scenarios that ISA supports, having the DC on the firewall is
the least secure (skip the SBS discussion for now).

You can (in preference order):
1. create an ISA domain (forest) that trusts the internal domain 2.
create an ISA / DC that trusts the internal domain 3. join the internal
domain

And no, I wasn't assuming "the same domain", although I didn't make that
clear, either.  I generally try to discourage joining the ISA to an
existing domain if possibe.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Tue, 23 Dec 2003 20:40:57 +1100
 "Phill Hardstaff - SPC" <phillh@xxxxxxx> wrote:
http://www.ISAserver.org

OK, heres a question for you guys :

1) You want to authenticate your proxy server requests.
2) You are running an NT4 domain (yes there are still plenty)
3) You only have ONE box to install ISA on.

OK, how are you are going to get authentication requests from the ISA
box to your NT4 domain ? knowing full well that ISA cannot be installed
on NT4 and therefore cannot be part of an NT4 domain ? and you certainly
don't want to install ISA on a Win2K member server in your domain (well
you wouldn't would you ?)

Think about it ? I know one solution, and it involves what you are
saying not so do below. i.e. install ISA in it's own domain as a DC, and
have a one way trust with the NT4 domain, i.e. the NT4 domain is trusted
by the ISA box but the ISA domain is not trusted by the NT 4 domain. If
you know of any other way to get this work I would be interested.

What I am saying is that installing on a DC in certain situations is not
a problem (DC in it's own domain), everyone always seems to assume it's
the DC for the main and only domain :) and this may well be what this
guy was talking about, then again it may not.

Cheers

Phill


----- Original Message -----
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, December 23, 2003 2:59 PM
Subject: [isalist] RE: ISA server on a DC


http://www.ISAserver.org

Hi Ryan,

I highly recommend against it. It might work, but I didn't test that
config. The point of that article was to show people how it could work,
but I hope it didn't give the impression that I approved of the config.

HTH,
Tom

-----Original Message-----
From: Ryan Palmer [mailto:RyanPalmer77@xxxxxxxxx]
Sent: Monday, December 22, 2003 4:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA server on a DC

http://www.ISAserver.org

I was just reading the article about installing ISA on a Domain
Controller. In the article they promoted the server to a DC before
installing ISA. Can I install ISA on my server and promote it to a
Domain Controller at a later date?

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
phillh@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » ISA server on a DC
• » RE: ISA server on a DC
• » RE: ISA server on a DC
• » RE: ISA server on a DC
• » Re: ISA server on a DC
• » Re: ISA server on a DC
• » Re: ISA server on a DC
• » Re: ISA server on a DC
• » Re: ISA server on a DC
• » RE: ISA server on a DC
• » Re: ISA server on a DC
• » Re: ISA server on a DC
• » Re: ISA server on a DC
• » RE: ISA server on a DC
• » RE: ISA server on a DC
• » RE: ISA server on a DC
• » RE: ISA server on a DC
• » RE: ISA server on a DC
• » RE: ISA server on a DC
• » RE: ISA server on a DC
• » RE: ISA server on a DC

1. Home
2. isalist
3. Archive
4. 12-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---