[isalist] Re: Real Newbie Question

  • From: "Reimer, Mark" <mark.reimer@xxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 23 May 2006 16:12:26 -0600

Actually, it came from Microsoft. It was in an article about ISA, as a
best practice. I've read a bunch of different articles today, and can't
seem to quickly find it.
 
Thanks for the advice though. I do want to make it a domain member. I
will continue on with my testing.
 
Mark.

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Tuesday, May 23, 2006 10:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Real Newbie Question


ACK!!!! Where did you read that drivel? If someone has the ability to
break into the ISA firewall, domain membership is immaterial. You end up
gaining a ton more security by joining the ISA firewall to the domain.
In your scenario, I ALWAYS join the ISA firewall to the domain. To do
otherwise would be foolish, IMO.
 
HTH,
Tom
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 


________________________________

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Reimer, Mark
        Sent: Tuesday, May 23, 2006 10:31 AM
        To: ISA Mailing List
        Subject: [isalist] Real Newbie Question
        
        
        Hi folks,
         
        Design question. We are going to install ISA 2004 as our
perimeter firewall with 3 legs (outside, dmz, internal). I've read that
the ISA box should not be part of the internal domain for security
reasons (if someone breaks into the ISA server box, they haven't
compromised the internal AD). But, I basically want to only allow
internal AD users to have access to the internet through the ISA server.
There will be some short term (a few hours at a time) exceptions, but
this is the general plan.
         
        What do most people do? Use a Radius server on the internal side
to accomplish the above goals? Or install ISA as a member server of the
internal domain? 
         
        We are a windows shop, Win2K3 servers all around.
         
        Is there  a source of info that would help explain the best
method of setting up and ISA server.
         
        Thanks.
         
        Mark
        -------------------------------
        Mark Reimer
        Windows Servers & Networking
        Prairie Bible Institute
        Box 4000
        Three Hills, AB  T0M-2N0
        Canada
        403-443-5511
        www.prairie.edu

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 05-2006