Thanks Tom Yes I agree, I think most large companies including teh last one I worked for have single server hardware / vpn based firewall solutions, and SQL / Exch / AD on singler servers in other locations. In the line of SBS2k, I actually like ISA - agree I never did think Proxy 2 was a firewall solution - It didnt really offer any protection in the first place :o) One of my clients have Linux and use a firewall called IPCop and it has proved to be a big-hit! But I dont want to discuss this on an ISA list Hee Hee :o) Thanks for your help and comments Tom. Although SBS2000 does not support Trust relationships, if the same user accounts are created on the 2 servers, this should get around a few issues! Simon Weaver Technical Consultant MCSE+Internet / MCSE Windows 2000 Integrated Solutions Corp. Ltd http://www.iscl.net <http://www.iscl.net/> -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: 28 June 2003 21:24 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Site Connectivity with ISA / VPN http://www.ISAserver.org Hi Simon, ISA would do as well as any other firewall software on the SBS machine. The problem is that people think an ISA firewall is the same as a Proxy 2.0 server. Proxy 2.0 wasn't a firewall, it was a web caching server with some advanced remote Winsock features, so you might as well put the Web Proxy 2.0 on the SBS box because you're going to have to get a firewall anyway :-) The ISA firewall will protect the SBS box, but you should get another firewall of some kind to put in front of it. Firewalls are bastion hosts, and so they're in the front line of attack. That's why Exchange, AD and SQL aren't good things on the ISA firewall. In a perfect world, they would remove ISA from SBS, or allow some sort of exemption that allows you to install only the ISA component on another machine on the network. That would be the most rational approach, since it doesn't belong on the same machine as the rest of the software in the SBS suite. HTH, Tom Thomas W Shinder <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp -----Original Message----- From: Simon Weaver [mailto:Simon.Weaver@xxxxxxxx] Sent: Saturday, June 28, 2003 5:09 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Site Connectivity with ISA / VPN http://www.ISAserver.org Hi Tom Thanks - Yes I do see your point, but some companies look towards SBS2000 as a Single Server Solution - I would agree that a 2nd Server would be good for storage of Data, or even a NAS based Solution! But in teh case of a single server solution, are you saying that ISA would not do an effective job in protecting the data on this server? Just your opinion I would be intersted in Simon Weaver Technical Consultant MCSE+Internet / MCSE Windows 2000 Integrated Solutions Corp. Ltd http://www.iscl.net <http://www.iscl.net/> -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: 28 June 2003 18:57 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Site Connectivity with ISA / VPN http://www.ISAserver.org Hi Simon, I would buy a second server and put Win2k and ISA Server on that machine. What's the price of security? Not much until you get compromised. Putting Exchange on a the Firewall just isn't a risk I'm willing to take (for myself or others) However, some people have a higher risk tolerance. I don't like gambling in Las Vegas that much either ;-) Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Simon Weaver [mailto:Simon.Weaver@xxxxxxxx] Sent: Saturday, June 28, 2003 2:57 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Site Connectivity with ISA / VPN http://www.ISAserver.org Hello Tom You mentioned enterprise groupware products on a firewall machine - what happens if you only have a single server in each site? Would ISA not protect things? Simon Weaver Technical Consultant MCSE+Internet / MCSE Windows 2000 Integrated Solutions Corp. Ltd http://www.iscl.net <http://www.iscl.net/> -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: 28 June 2003 16:14 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Site Connectivity with ISA / VPN http://www.ISAserver.org Hi Simon, You can accomplish all three, it'll take a little bit of tweaking. The trust relationships should not be an issue, but depending on what you want to accomplish, you will need to enter the same accounts and passwords in each domain. However, I don't recommend putting enterprise Groupware products on a firewall. Its like putting your wallet out on the front yard before you go to bed at night and expect it to be there in the morning :-) HTH, Tom ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: Simon.Weaver@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: Simon.Weaver@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')