There are differencing opinions about should ISA be a member of the internal domain, but as long as the ISA server is properly maintained and configured, there is no reason not to have it a member of the internal domain and there are reasons for having it a member of the internal domain. John T eServices For You "Seek, and ye shall find!" -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Reimer, Mark Sent: Tuesday, May 23, 2006 8:31 AM To: ISA Mailing List Subject: [isalist] Real Newbie Question Hi folks, Design question. We are going to install ISA 2004 as our perimeter firewall with 3 legs (outside, dmz, internal). I've read that the ISA box should not be part of the internal domain for security reasons (if someone breaks into the ISA server box, they haven't compromised the internal AD). But, I basically want to only allow internal AD users to have access to the internet through the ISA server. There will be some short term (a few hours at a time) exceptions, but this is the general plan. What do most people do? Use a Radius server on the internal side to accomplish the above goals? Or install ISA as a member server of the internal domain? We are a windows shop, Win2K3 servers all around. Is there a source of info that would help explain the best method of setting up and ISA server. Thanks. Mark ------------------------------- Mark Reimer Windows Servers & Networking Prairie Bible Institute Box 4000 Three Hills, AB T0M-2N0 Canada 403-443-5511 www.prairie.edu