>From all the information I have gathered, including form Microsoft itself is that for full function, ISA should be a member server of your internal domain. If ISA is its own workgroup, then it simply acts as a firewall like any other. But if ISA is a member server in a domain, you can take full advantage of AD and groups in your rules. Example, the guests group could be denied access while the power users group could only access during lunch and break time and administrators could be unrestricted. Being a member of a domain allows you to use all the features and be very granular on policies using AD. John Tolmachoff IT Manager, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA 92835 714-578-7999, ext. 104 jtolmachoff@xxxxxxxxxxxxxxxx www.reliancesoft.com -----Original Message----- From: greynolds@xxxxxxxxxxxxxxxx [mailto:greynolds@xxxxxxxxxxxxxxxx] Sent: Monday, March 18, 2002 9:54 AM To: [ISAserver.org Discussion List] Subject: [isalist] Installation of ISA http://www.ISAserver.org I have a huge question about installing ISA that I can't seem to get a definiative answer to one way or another. The ISA server I have installed at a client site is on a stand-alone server but is a member server of the Domain. Does this ISA have to be a emeber of the domain or can I just have it in it's own workgroup like you would a Checkpoint firewall. Is there a reason it has to be in the domain. This seems inherently riskyas if it's comprimised, you may have comprised your entire domain. This of course is the reason why you would usually make firewall's member of their own little workgroup and not a member of the domain. Please any help on this would be appreciated. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jtolmachoff@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')