RE: Installation of ISA
- From: "Steve Bostedor" <Steveb@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 18 Mar 2002 13:44:10 -0500
I think that there could be good arguments to do either. One good
reason to make it part of the domain is for ease of administration if you are
using Active Directory. (as opposed to an NT 4 domain) Group policies allow
you to secure the security according to a central standard. With it being it's
own little domain or workgroup, you will be forced to administer policies on a
per server basis. This often leads to mistakes and oversights.
I see no advantage to leaving it in it's own workgroup besides the fact
that if it is compromised, the administrator password is not global. There are
AD ways to make that not happen, too, and any qualified AD administrator should
know them. It is also a false sense of security because if your ISA server is
hacked, they are essentially behind your firewall and the rest of your network
is already in jeopardy, administrator password or not!
I suggest joining it to a secure Active Directory domain. Do NOT,
however, make it a domain controller! This exposes unwanted things to the
outside world (among other obvious reasons). Just have it be a member server
in the domain and regulate it in it's own OU with it's own security policy.
-----Original Message-----
From: Chris Patterson [mailto:cpatterson@xxxxxxxxxxxx]
Sent: Monday, March 18, 2002 1:34 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Installation of ISA
http://www.ISAserver.org
The way I see it, the only reason to make it the member of a domain is
if you were going to use the Enterprise version and have it store/share
its configuration in Active Directory. Or if users were going to use
their domain username/password for authentication. But if you have no
need for either of those two, then I don't suppose it would be necessary
to have it as part of a domain. A workgroup should suffice.
My personal opinion here. Any debates?
Chris Patterson
Network Administrator
Axiom Systems
<Http://Www.AxiomSys.Com>
The Truth Is Out There. Go Find It. <Http://Www.2600.Com>
-----Original Message-----
From: greynolds@xxxxxxxxxxxxxxxx [mailto:greynolds@xxxxxxxxxxxxxxxx]
Sent: Monday, March 18, 2002 12:54 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Installation of ISA
http://www.ISAserver.org
I have a huge question about installing ISA that I can't seem to get a
definiative answer to one way or another. The ISA server I have
installed
at a client site is on a stand-alone server but is a member server of
the
Domain. Does this ISA have to be a emeber of the domain or can I just
have
it in it's own workgroup like you would a Checkpoint firewall. Is there
a
reason it has to be in the domain. This seems inherently riskyas if it's
comprimised, you may have comprised your entire domain. This of course
is
the reason why you would usually make firewall's member of their own
little workgroup and not a member of the domain.
Please any help on this would be appreciated.
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
CPatterson@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
junk@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
