i asked the Question and you good peoples are conversating with each other, not replying mu Q.'s answer.. JosephK <josephk@xxxxxxxxx> wrote:http://www.ISAserver.org What I've seen about the two forests is this. Thor uses a domain in his front end DMZ and I Imagine that the front end ISA could belong to the front end DMZ. What I'm talking about is a back to back domain setup FE ISA >> DMZ >>BE ISA >> INTERNAL I've been considering putting my front end DMZ in a domain of its own. And, I would not trust the front end domain with the back end domain. Unless someone else thinks that is a good idea. Thank you, Joseph -----Original Message----- From: Andy Haigh [mailto:ahaigh@xxxxxxxxxxxxxxxx] Sent: Wednesday, August 10, 2005 8:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Installing ISA 2004 in workgroup. http://www.ISAserver.org What made me start looking at having two forests was Microsofts own documentation. This is the offending paragraph from the ISA Security Guide: If the ISA Server computer is protecting the edge of your network, we recommend that you install it in a separate forest (rather than in the internal forest of your corporate network). In this way, you help protect the internal forest from being compromised, even if an attack is mounted on the forest of the ISA Server computer. To experience the administrative and security benefits of ISA Server as a domain member, we recommend that you deploy the ISA Server computer in a separate forest with a one-way trust to the corporate forest. (One-way trust is supported on Windows Server 2003 domains only.) I was going to just add it to the domain until I read this! Is this just overkill from MS?? Andy ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, 10 August 2005 8:07 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Installing ISA 2004 in workgroup. http://www.ISAserver.org Couldn't say it better than Jim. Those "concerned" folks should be more concerned about what happened at Red Hat this year and their Cisco devices than worry about domain member ISA firewalls. If they keep chasing the Microsoft "security" rabbit, the Genie in the Bottle (miraculously secure "hardware") will end up putting a cap in their collective a**es. :-) HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls ________________________________ From: Andy Haigh [mailto:ahaigh@xxxxxxxxxxxxxxxx] Sent: Tuesday, August 09, 2005 11:29 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Installing ISA 2004 in workgroup. http://www.ISAserver.org So as per a question I asked earlier, there is no real value in creating two seperate forests and then add a one way trust. If ISA 2004 is correctly configured having it part of the domain is not an issue? Andy ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, 10 August 2005 12:21 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Installing ISA 2004 in workgroup. http://www.ISAserver.org Hi Alex, Common problem -- based on no facts on the side of those "concerned" Ask them how the AD is exposed. How would someone access the AD from the ISA firewall? Where is there a single report anywhere that an ISA firewall has ever been compromised to enable this exposure? What are they doing on the inside, where the overwhelming majority of attacks source form, to protect against AD exposure, and have they considered that exposure to be orders of magnitude higher than what theoretical *might* take place if the ISA firewall were "owned" (which won't happen if properly configured) HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls ________________________________ From: Alex Gonzalez [mailto:AGonzalez@xxxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 09, 2005 9:08 AM To: [ISAserver.org Discussion List] Subject: RE: [isalist] RE: Installing ISA 2004 in workgroup. Hi Tom: Actually while on the topic, what is the main reason to join it to the domain? I joined the one I am setting up and people disagreed. I told them it was standard but they didnt want Active Directory exposed. What can I tell them to calm them down? Alex ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tue 8/9/2005 9:56 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Installing ISA 2004 in workgroup. http://www.ISAserver.org It *is* complex. Join the firewall to the domain. There's no reason not to. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Faraz [mailto:f_hkhan@xxxxxxxxx] > Sent: Tuesday, August 09, 2005 8:54 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Installing ISA 2004 in workgroup. > > http://www.ISAserver.org > > hi everybody > can anyone tell me the link where i can talk through the procedure of > installing ISA server 2004 in workgroup, [i have read microsoft KB > article(but that looks complex(i have to install even certificate > service))], i want to install both Configuratio Storage server & ISA > services on same computer, please send me a good link?????????? > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ahaigh@xxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: josephk@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: f_hkhan@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx --------------------------------- Start your day with Yahoo! - make it your home page