> The interesting thing is you're talking about a licensing, > not a security issue. > I understand what you're saying, but I believe that there are elements of security running a complete suite of Exchange, SQL, IIS5 and ISA on one machine with a dual NIC. Compromise the machine and you have access to the entire application suite without any more effort. > SBS2K is intended for those folks who can't afford to > dedicate a server per function (that's why it's called "Small > Business Server"). > This is why I ask the question. We see more SBS than anything. It's the "volume" product. It's exactly this type of install that will end up being the more common, and perhaps the least likely to be correctly secured, and then the most vulnerable, all on one machine. As I said, our client's that understand enough, want to create a sacrificial ISA machine that can be blown away with a simple Ghost image reload if problems are suspected (and then re-secured). > There are always tradeoffs between security and functionality, and > this is one place where "bang for the buck" was highest on the > list. > Part of my point, perhaps not explained, was that the trade-off is artifical. Microsoft created an excellent security product, but won't allow it to be separately installed for that extra piece of security if the client desires. Is there extra security to be had from a separate ISA machine truely and physically between application servers? As far as I can see the SBS ISA just allows Exchange, SQL, IIS5 to publish themselves via Packet Filters on the external NIC. From an external point-of-view, the services are there without ISA. Is ISA then involved in any filtering or intrusion detection? Regards, Connor Moran