[isapros] Re: TMG - Separate Forest?
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Mon, 12 May 2008 10:34:21 -0700
Where did they borrow from you?
I didn't see "hork mode" anywhere... :-)
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Monday, May 12, 2008 10:30 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: TMG - Separate Forest?
Hi Jim,
That's a great point! They really are watching and waiting for input.
Just look at the TMG Help file. Even though the product is in early
beta, I'm really impressed with the work they've done on it. I mean,
REALLY impressed! They've caught up with all the issues that came up in
ISA versions, and brought those issues to light.
I also like how they've borrowed much of my phraseology. That's the
great form of flattery! :))
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of Jim Harrison
> Sent: Monday, May 12, 2008 11:48 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
>
> Everyone knows how to send mail to isadocs@xxxxxxxxxxxxx?
> They're waiting and watching for just input such as this...
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of Amy Babinchak
> Sent: Monday, May 12, 2008 8:12 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
>
> As long as the official documentation says otherwise, you're tilting
at
> windmills. If we know better and MSIT knows better, then why doesn't
the
> documentation get fixed? DOD won't buy if it says otherwise?
>
> thanks,
>
> Amy Babinchak
>
>
> Harbor Computer Services |(248) 850-8616
>
> Tech Blog http://securesmb.harborcomputerservices.net
> Client Blog http://smalltechnotes.blogspot.com
> Website http://www.harborcomputerservices.net
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Monday, May 12, 2008 10:30 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
>
> Exactly. The guidance as is applies to people who wear hard hats when
> they go outside out of fear that a falling piece from a passing
airplane
> will hit them on their heads. :)
>
> MSIT does it right, and I follow MSIT's model in my deployments. Why
> lose Kerberos Constrained Delegation and other security features out
of
> fear of Comet strikes in the Gulf of Mexico? :))
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Jim Harrison
> > Sent: Monday, May 12, 2008 8:21 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: TMG - Separate Forest?
> >
> > Actually, that "old-school approach" does limit the threat of
exposure
> for your internal
> > forest. It's not about "if ISA gets compromised" as much as "if an
> account is
> > compromised".
> > If you have the skill and means to build that and can tolerate the
> limits it imposes (no
> > KCD from the edge), then this is a good recommendation.
> > What isn't stated is that this can be one part of a layered ISA
> deployment.
> > FWIW, MSIT deploys ISA / TNG at the edge in the same forest as the
> user accounts.
> >
> > Jim
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Jason Jones
> > Sent: Monday, May 12, 2008 1:13 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] TMG - Separate Forest?
> >
> > Just noticed this in the current TMG documentation...disappointed
this
> old school
> > approach is still recommended :-(
> >
> > "At the edge, you can install Forefront TMG as a domain member or in
> workgroup
> > mode. As a domain member, we recommend that you install Forefront
TMG
> in a
> > separate forest (rather than in the internal forest of your
corporate
> network), with a
> > one-way trust to the corporate forest. This may help the internal
> forest from being
> > compromised, even if an attack is mounted on the forest of the
> Forefront TMG
> > computer. There are some limitations with this deployment. For
> example, you can
> > configure client certificate authentication only for users defined
in
> the Forefront TMG
> > domain, and not for users in the corporate internal domain or
forest."
> >
> > You guys spent much time looking at TMG yet?
> >
> > JJ
> >
> >
> >
> >
> > ________________________________
> > This email and any files transmitted with it are confidential and
> intended solely for the
> > use of the individual to whom it is addressed. If you have received
> this email in error,
> > or if you believe this email is unsolicited and wish to be removed
> from any future
> > mailings, please contact our Support Desk immediately on 01202
360360
> or email
> > helpdesk@xxxxxxxxxxxxxxxxx
> >
> > If this email contains a quotation then unless otherwise stated it
is
> valid for 7 days and
> > offered subject to Silversands Professional Services Terms and
> Conditions, a copy of
> > which is available on request. Any pricing information, design
> information or
> > information concerning specific Silversands' staff contained in this
> email is
> > considered confidential or of commercial interest and exempt from
the
> Freedom of
> > Information Act 2000.
> >
> > Any view or opinions presented are solely those of the author and do
> not necessarily
> > represent those of Silversands
> >
> > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > Company Registration Number : 2141393.
> >
> >
>
>
>
>
>
>
>
>
Other related posts:
