[isapros] Re: TMG - Separate Forest?
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Mon, 12 May 2008 12:56:46 -0500
Ah, yes no hork mode, but in lots of other places. Not the material, but
the way they phrase things.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of Jim Harrison
> Sent: Monday, May 12, 2008 12:34 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
>
> Where did they borrow from you?
> I didn't see "hork mode" anywhere... :-)
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of Thomas W Shinder
> Sent: Monday, May 12, 2008 10:30 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
>
> Hi Jim,
>
> That's a great point! They really are watching and waiting for input.
> Just look at the TMG Help file. Even though the product is in early
> beta, I'm really impressed with the work they've done on it. I mean,
> REALLY impressed! They've caught up with all the issues that came up
in
> ISA versions, and brought those issues to light.
>
> I also like how they've borrowed much of my phraseology. That's the
> great form of flattery! :))
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Jim Harrison
> > Sent: Monday, May 12, 2008 11:48 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: TMG - Separate Forest?
> >
> > Everyone knows how to send mail to isadocs@xxxxxxxxxxxxx?
> > They're waiting and watching for just input such as this...
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Amy Babinchak
> > Sent: Monday, May 12, 2008 8:12 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: TMG - Separate Forest?
> >
> > As long as the official documentation says otherwise, you're tilting
> at
> > windmills. If we know better and MSIT knows better, then why doesn't
> the
> > documentation get fixed? DOD won't buy if it says otherwise?
> >
> > thanks,
> >
> > Amy Babinchak
> >
> >
> > Harbor Computer Services |(248) 850-8616
> >
> > Tech Blog http://securesmb.harborcomputerservices.net
> > Client Blog http://smalltechnotes.blogspot.com
> > Website http://www.harborcomputerservices.net
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Monday, May 12, 2008 10:30 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: TMG - Separate Forest?
> >
> > Exactly. The guidance as is applies to people who wear hard hats
when
> > they go outside out of fear that a falling piece from a passing
> airplane
> > will hit them on their heads. :)
> >
> > MSIT does it right, and I follow MSIT's model in my deployments. Why
> > lose Kerberos Constrained Delegation and other security features out
> of
> > fear of Comet strikes in the Gulf of Mexico? :))
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > Of Jim Harrison
> > > Sent: Monday, May 12, 2008 8:21 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: TMG - Separate Forest?
> > >
> > > Actually, that "old-school approach" does limit the threat of
> exposure
> > for your internal
> > > forest. It's not about "if ISA gets compromised" as much as "if
an
> > account is
> > > compromised".
> > > If you have the skill and means to build that and can tolerate the
> > limits it imposes (no
> > > KCD from the edge), then this is a good recommendation.
> > > What isn't stated is that this can be one part of a layered ISA
> > deployment.
> > > FWIW, MSIT deploys ISA / TNG at the edge in the same forest as the
> > user accounts.
> > >
> > > Jim
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > Of Jason Jones
> > > Sent: Monday, May 12, 2008 1:13 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] TMG - Separate Forest?
> > >
> > > Just noticed this in the current TMG documentation...disappointed
> this
> > old school
> > > approach is still recommended :-(
> > >
> > > "At the edge, you can install Forefront TMG as a domain member or
in
> > workgroup
> > > mode. As a domain member, we recommend that you install Forefront
> TMG
> > in a
> > > separate forest (rather than in the internal forest of your
> corporate
> > network), with a
> > > one-way trust to the corporate forest. This may help the internal
> > forest from being
> > > compromised, even if an attack is mounted on the forest of the
> > Forefront TMG
> > > computer. There are some limitations with this deployment. For
> > example, you can
> > > configure client certificate authentication only for users defined
> in
> > the Forefront TMG
> > > domain, and not for users in the corporate internal domain or
> forest."
> > >
> > > You guys spent much time looking at TMG yet?
> > >
> > > JJ
> > >
> > >
> > >
> > >
> > > ________________________________
> > > This email and any files transmitted with it are confidential and
> > intended solely for the
> > > use of the individual to whom it is addressed. If you have
received
> > this email in error,
> > > or if you believe this email is unsolicited and wish to be removed
> > from any future
> > > mailings, please contact our Support Desk immediately on 01202
> 360360
> > or email
> > > helpdesk@xxxxxxxxxxxxxxxxx
> > >
> > > If this email contains a quotation then unless otherwise stated it
> is
> > valid for 7 days and
> > > offered subject to Silversands Professional Services Terms and
> > Conditions, a copy of
> > > which is available on request. Any pricing information, design
> > information or
> > > information concerning specific Silversands' staff contained in
this
> > email is
> > > considered confidential or of commercial interest and exempt from
> the
> > Freedom of
> > > Information Act 2000.
> > >
> > > Any view or opinions presented are solely those of the author and
do
> > not necessarily
> > > represent those of Silversands
> > >
> > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > > Company Registration Number : 2141393.
> > >
> > >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
>
Other related posts:
