Hi Amy, It is blasphemy, but not enough to get you off the list ;-) A back to back firewall configuration is great, and its better than putting a fulled SBS'ed server on the edge. But you still end up in the same place were you started: a server in the early stage of compromise :-) However, its better than no protection at all. But, like almost all things in life, you get what you pay for. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, April 02, 2003 8:25 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: RES: Off topic: SBS Liscensing http://www.ISAserver.org http://www.ISAserver.org Maybe this is blasphemy but what about using a nice little Sonicwall firewall on the perimeter? It's not as configurable or full featured but it would add the additional layer you are looking for and it would be a lot less expensive. (please don't throw me off this list, I'm learning a lot here) Amy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, April 02, 2003 8:47 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: RES: Off topic: SBS Liscensing http://www.ISAserver.org Hi Amy, While you can make ISA Server work on an "all purpose" server, I could never justify such a configuration from a security point of view. Putting an Exchange Server, SQL Server, FAX server, etc. on the firewall is a bad security proposition, no matter how you cut it. There are also other drawbacks, such as how logging is affected by publishing services located on the ISA Server itself. The ISA Server is a firewall and perimeter defensive device and should be treated like one. I wouldn't install all these extraneous services on a PIX or CP/Nokia and I wouldn't do it on an ISA Server. What I'm trying to determine is the cost effectiveness of using two Win2k servers and a separate installation of ISA Server. From what I can tell so far, you can still profit from getting SBS to put on the internal network to use as an Exchange, SQL, FAX, etc. server and get separate licenses for Win2k and ISA Server to run on the perimeter. The cost would be comparable to black box solutions, but you can easily configure and integrate with the existing Microsoft network, and you don't pay extra for VPN or "connectors" to connect to the user database. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp>