I think that there could be good arguments to do either. One good reason to make it part of the domain is for ease of administration if you are using Active Directory. (as opposed to an NT 4 domain) Group policies allow you to secure the security according to a central standard. With it being it's own little domain or workgroup, you will be forced to administer policies on a per server basis. This often leads to mistakes and oversights. I see no advantage to leaving it in it's own workgroup besides the fact that if it is compromised, the administrator password is not global. There are AD ways to make that not happen, too, and any qualified AD administrator should know them. It is also a false sense of security because if your ISA server is hacked, they are essentially behind your firewall and the rest of your network is already in jeopardy, administrator password or not! I suggest joining it to a secure Active Directory domain. Do NOT, however, make it a domain controller! This exposes unwanted things to the outside world (among other obvious reasons). Just have it be a member server in the domain and regulate it in it's own OU with it's own security policy. -----Original Message----- From: Chris Patterson [mailto:cpatterson@xxxxxxxxxxxx] Sent: Monday, March 18, 2002 1:34 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Installation of ISA http://www.ISAserver.org The way I see it, the only reason to make it the member of a domain is if you were going to use the Enterprise version and have it store/share its configuration in Active Directory. Or if users were going to use their domain username/password for authentication. But if you have no need for either of those two, then I don't suppose it would be necessary to have it as part of a domain. A workgroup should suffice. My personal opinion here. Any debates? Chris Patterson Network Administrator Axiom Systems <Http://Www.AxiomSys.Com> The Truth Is Out There. Go Find It. <Http://Www.2600.Com> -----Original Message----- From: greynolds@xxxxxxxxxxxxxxxx [mailto:greynolds@xxxxxxxxxxxxxxxx] Sent: Monday, March 18, 2002 12:54 PM To: [ISAserver.org Discussion List] Subject: [isalist] Installation of ISA http://www.ISAserver.org I have a huge question about installing ISA that I can't seem to get a definiative answer to one way or another. The ISA server I have installed at a client site is on a stand-alone server but is a member server of the Domain. Does this ISA have to be a emeber of the domain or can I just have it in it's own workgroup like you would a Checkpoint firewall. Is there a reason it has to be in the domain. This seems inherently riskyas if it's comprimised, you may have comprised your entire domain. This of course is the reason why you would usually make firewall's member of their own little workgroup and not a member of the domain. Please any help on this would be appreciated. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: CPatterson@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: junk@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')