RE: Installing ISA 2004 in workgroup.
- From: Faraz Hassan Khan <f_hkhan@xxxxxxxxx>
- To: "\[ISAserver.org Discussion List\]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 11 Aug 2005 04:52:13 -0700 (PDT)
i asked the Question and you good peoples are conversating with each other, not
replying mu Q.'s answer..
JosephK <josephk@xxxxxxxxx> wrote:http://www.ISAserver.org
What I've seen about the two forests is this. Thor uses a domain in his
front end DMZ and I Imagine that the front end ISA could belong to the
front end DMZ. What I'm talking about is a back to back domain setup
FE ISA >> DMZ >>BE ISA >> INTERNAL
I've been considering putting my front end DMZ in a domain of its own.
And, I would not trust the front end domain with the back end domain.
Unless someone else thinks that is a good idea.
Thank you,
Joseph
-----Original Message-----
From: Andy Haigh [mailto:ahaigh@xxxxxxxxxxxxxxxx]
Sent: Wednesday, August 10, 2005 8:23 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Installing ISA 2004 in workgroup.
http://www.ISAserver.org
What made me start looking at having two forests was Microsofts own
documentation. This is the offending paragraph from the ISA Security
Guide:
If the ISA Server computer is protecting the edge of your network, we
recommend that you install it in a separate forest (rather than in the
internal forest of your corporate network). In this way, you help
protect the internal forest from being compromised, even if an attack is
mounted on the forest of the ISA Server computer. To experience the
administrative and security benefits of ISA Server as a domain member,
we recommend that you deploy the ISA Server computer in a separate
forest with a one-way trust to the corporate forest. (One-way trust is
supported on Windows Server 2003 domains only.)
I was going to just add it to the domain until I read this!
Is this just overkill from MS??
Andy
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, 10 August 2005 8:07 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Installing ISA 2004 in workgroup.
http://www.ISAserver.org
Couldn't say it better than Jim. Those "concerned" folks should be more
concerned about what happened at Red Hat this year and their Cisco
devices than worry about domain member ISA firewalls. If they keep
chasing the Microsoft "security" rabbit, the Genie in the Bottle
(miraculously secure "hardware") will end up putting a cap in their
collective a**es.
:-)
HTH,
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________
From: Andy Haigh [mailto:ahaigh@xxxxxxxxxxxxxxxx]
Sent: Tuesday, August 09, 2005 11:29 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Installing ISA 2004 in workgroup.
http://www.ISAserver.org
So as per a question I asked earlier, there is no real value in
creating two seperate forests and then add a one way trust.
If ISA 2004 is correctly configured having it part of the domain
is not an issue?
Andy
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, 10 August 2005 12:21 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Installing ISA 2004 in workgroup.
http://www.ISAserver.org
Hi Alex,
Common problem -- based on no facts on the side of those
"concerned"
Ask them how the AD is exposed.
How would someone access the AD from the ISA firewall?
Where is there a single report anywhere that an ISA firewall has
ever been compromised to enable this exposure?
What are they doing on the inside, where the overwhelming
majority of attacks source form, to protect against AD exposure, and
have they considered that exposure to be orders of magnitude higher than
what theoretical *might* take place if the ISA firewall were "owned"
(which won't happen if properly configured)
HTH,
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________
From: Alex Gonzalez
[mailto:AGonzalez@xxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, August 09, 2005 9:08 AM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: Installing ISA 2004 in
workgroup.
Hi Tom:
Actually while on the topic, what is the main reason to
join it to the domain? I joined the one I am setting up and people
disagreed. I told them it was standard but they didnt want Active
Directory exposed. What can I tell them to calm them down?
Alex
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Tue 8/9/2005 9:56 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Installing ISA 2004 in workgroup.
http://www.ISAserver.org
It *is* complex.
Join the firewall to the domain. There's no reason not
to.
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Faraz [mailto:f_hkhan@xxxxxxxxx]
> Sent: Tuesday, August 09, 2005 8:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Installing ISA 2004 in workgroup.
>
> http://www.ISAserver.org
>
> hi everybody
> can anyone tell me the link where i can talk through
the procedure of
> installing ISA server 2004 in workgroup, [i have read
microsoft KB
> article(but that looks complex(i have to install even
certificate
> service))], i want to install both Configuratio
Storage server & ISA
> services on same computer, please send me a good
link??????????
>
> ------------------------------------------------------
> List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our
other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ahaigh@xxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
f_hkhan@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
---------------------------------
Start your day with Yahoo! - make it your home page
Other related posts:
