Re: Straw poll - separate ISA from SBS base
- From: "Jim Locke" <jim@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 13 Dec 2001 19:38:08 -0800
I read the deployment doc, says theres a wizard for multiserver.
Looks like u must plan all and well in adv, especially machine names
Think I'll order the SBS eval and see what the procedure is
My guess is SBS 1st, Win2k second then deploy ISA from SBS to 2nd
and so on
Jim
"There's no such thing as a stupid question, just stupid people"
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, December 13, 2001 7:28 PM
Subject: [isalist] Re: Straw poll - separate ISA from SBS base
> http://www.ISAserver.org
>
>
> Excellent find!
>
> Now the BQOD; how is this deployment attained?
> Many folks who've tried have run face first into the CD key issue with
> separating ISA from the lot...
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/authors/harrison/
> Read the book!
>
> ----- Original Message -----
> From: "Jim Locke" <jim@xxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Thursday, December 13, 2001 19:20
> Subject: [isalist] Re: Straw poll - separate ISA from SBS base
>
>
> http://www.ISAserver.org
>
>
> Jim: Read this..
>
>
http://www.microsoft.com/backofficeserver/techinfo/deployment/2000/multiserv
> er.asp
>
>
> Jim
>
> "There's no such thing as a stupid question, just stupid people"
>
> ----- Original Message -----
> From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Thursday, December 13, 2001 7:12 PM
> Subject: [isalist] Re: Straw poll - separate ISA from SBS base
>
>
> > http://www.ISAserver.org
> >
> >
> > From all I've read and heard, you can't separate the SBS2K components.
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/authors/harrison/
> > Read the book!
> >
> > ----- Original Message -----
> > From: "Jim Locke" <jim@xxxxxxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Thursday, December 13, 2001 18:15
> > Subject: [isalist] Re: Straw poll - separate ISA from SBS base
> >
> >
> > http://www.ISAserver.org
> >
> >
> > I have a simple question fro this thread.
> >
> > I have a customer that is thinking of SBS for 2 reasons
> >
> > 1) ISA
> > 2) Exchange
> >
> > Now my question is:
> > Is the ISA included in the SBS been modifed to only install on SBS?
> > They already own a Win2k server so ISA was
> > to go there and Exchange on the SBS
> >
> > Jim
> >
> > ----- Original Message -----
> > From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Thursday, December 13, 2001 5:22 PM
> > Subject: [isalist] Re: Straw poll - separate ISA from SBS base
> >
> >
> > > http://www.ISAserver.org
> > >
> > >
> > > More inline... ;-)
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/authors/harrison/
> > > Read the book!
> > >
> > > ----- Original Message -----
> > > From: "Connor Moran" <isa@xxxxxxxxxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Sent: Thursday, December 13, 2001 15:56
> > > Subject: [isalist] Re: Straw poll - separate ISA from SBS base
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > > The interesting thing is you're talking about a licensing,
> > > > not a security issue.
> > > >
> > >
> > > I understand what you're saying, but I believe that there are elements
> > > of security running a complete suite of Exchange, SQL, IIS5 and ISA on
> > > one machine with a dual NIC. Compromise the machine and you have
access
> > > to the entire application suite without any more effort.
> > >
> > > Absolutely! That's the tradeoff, unfortunately. Another thing to
> > remember
> > > is that MS is first and foremost, a business and as suvch, many
product
> > > configuration and (especially) licensing options are not
"server-smart".
> > > This is undoubtedly an area of investigation for MS in light of other
> > recent
> > > efforts in the security arena for them.
> > >
> > > > SBS2K is intended for those folks who can't afford to
> > > > dedicate a server per function (that's why it's called "Small
> > > > Business Server").
> > > >
> > >
> > > This is why I ask the question. We see more SBS than anything. It's
the
> > > "volume" product. It's exactly this type of install that will end up
> > > being the more common, and perhaps the least likely to be correctly
> > > secured, and then the most vulnerable, all on one machine. As I said,
> > > our client's that understand enough, want to create a sacrificial ISA
> > > machine that can be blown away with a simple Ghost image reload if
> > > problems are suspected (and then re-secured).
> > >
> > > See above...
> > >
> > > > There are always tradeoffs between security and functionality, and
> > > > this is one place where "bang for the buck" was highest on the
> > > > list.
> > > >
> > >
> > > Part of my point, perhaps not explained, was that the trade-off is
> > > artifical. Microsoft created an excellent security product, but won't
> > > allow it to be separately installed for that extra piece of security
if
> > > the client desires.
> > >
> > > * Disagree as explained above; the business requirements often
override
> > > functionality provided. MS is relatively new to the "real" enterprise
> > world
> > > compared to many Os and app developers and is learning as they move.
> > >
> > > Is there extra security to be had from a separate ISA machine truely
and
> > > physically between application servers?
> > >
> > > * Yes, but again, what are the majority of folks willing to trade for
> it?
> > >
> > > As far as I can see the SBS ISA just allows Exchange, SQL, IIS5 to
> > > publish themselves via Packet Filters on the external NIC. From an
> > > external point-of-view, the services are there without ISA. Is ISA
then
> > > involved in any filtering or intrusion detection?
> > >
> > > * Yes; ISA is always involved. Granted; packet filtering is the
weakest
> > > form of server publishing, but then again, not all services on the ISA
> > > require that method. That's a generalization that fits most
scenarios.
> > > Trial and error in a test environment is called for before deploying
the
> > > production server.
> > >
> > > Regards,
> > >
> > > Connor Moran
> > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe send a blank email to
$subst('Email.Unsub')
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List as:
> > jim@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe send a blank email to
$subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
