[isapros] Re: TMG - Separate Forest?
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Mon, 12 May 2008 11:12:03 -0700
Well, not to stir up the hornet's nest, but it actually *is* a good idea
of you don't have need for cross-forest cert auth or such. I'm not
really worried about "official docs" posturing on this one, as anyone
who not only *can* go out of their way to set up an isolated forest with
a one-way trust, but who actually DOES it is way ahead of the curve
anyway. It's not like that are recommending a "workgroup" ;)
t
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Monday, May 12, 2008 9:58 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
>
> Those who want a reason will find one.
> Nothing we can do will change this fact of life.
> How many times have you banged your head on the "hardware firewall"
> stack of bricks?
>
> I agree that this could have been better phrased, and the docs aren't
> fully baked yet, so there's still time to fix them.
>
> Jim
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> Sent: Monday, May 12, 2008 9:55 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
>
> Companies that hire consultants are a totally different breed. I was
> speaking more toward those that have internal staff that is just
> looking
> for a reason to keep the TMG out.
>
> thanks,
>
> Amy Babinchak
>
>
> Harbor Computer Services |(248) 850-8616
>
> Tech Blog http://securesmb.harborcomputerservices.net
> Client Blog http://smalltechnotes.blogspot.com
> Website http://www.harborcomputerservices.net
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Monday, May 12, 2008 12:48 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
>
> True, but that's why you need to choose good customers. They hired you
> to shore up issues with documentation and provide clarification.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Amy Babinchak
> > Sent: Monday, May 12, 2008 11:45 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: TMG - Separate Forest?
> >
> > Yes, but the words are there and that's really all it takes for the
> > uninformed masses. They have something to point to. Again.
> >
> > thanks,
> >
> > Amy Babinchak
> >
> >
> > Harbor Computer Services |(248) 850-8616
> >
> > Tech Blog http://securesmb.harborcomputerservices.net
> > Client Blog http://smalltechnotes.blogspot.com
> > Website http://www.harborcomputerservices.net
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Monday, May 12, 2008 12:02 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: TMG - Separate Forest?
> >
> > The documentation offers suggestions, and points out limitation. So,
> > those suggestions aren't considered by thoughtful security admins as
> > commandments. If Active Directory security best practices are used,
> the
> > chance of compromise is minute, and as I've demonstrated numerous
> times,
> > compromise of the ISA firewall will be the least of your problems :)
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > Of Amy Babinchak
> > > Sent: Monday, May 12, 2008 10:12 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: TMG - Separate Forest?
> > >
> > > As long as the official documentation says otherwise, you're
> tilting
> > at
> > > windmills. If we know better and MSIT knows better, then why
> doesn't
> > the
> > > documentation get fixed? DOD won't buy if it says otherwise?
> > >
> > > thanks,
> > >
> > > Amy Babinchak
> > >
> > >
> > > Harbor Computer Services |(248) 850-8616
> > >
> > > Tech Blog http://securesmb.harborcomputerservices.net
> > > Client Blog http://smalltechnotes.blogspot.com
> > > Website http://www.harborcomputerservices.net
> > >
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thomas W Shinder
> > > Sent: Monday, May 12, 2008 10:30 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: TMG - Separate Forest?
> > >
> > > Exactly. The guidance as is applies to people who wear hard hats
> when
> > > they go outside out of fear that a falling piece from a passing
> > airplane
> > > will hit them on their heads. :)
> > >
> > > MSIT does it right, and I follow MSIT's model in my deployments.
> Why
> > > lose Kerberos Constrained Delegation and other security features
> out
> > of
> > > fear of Comet strikes in the Gulf of Mexico? :))
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- Microsoft Firewalls (ISA)
> > >
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > Of Jim Harrison
> > > > Sent: Monday, May 12, 2008 8:21 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > >
> > > > Actually, that "old-school approach" does limit the threat of
> > exposure
> > > for your internal
> > > > forest. It's not about "if ISA gets compromised" as much as "if
> an
> > > account is
> > > > compromised".
> > > > If you have the skill and means to build that and can tolerate
> the
> > > limits it imposes (no
> > > > KCD from the edge), then this is a good recommendation.
> > > > What isn't stated is that this can be one part of a layered ISA
> > > deployment.
> > > > FWIW, MSIT deploys ISA / TNG at the edge in the same forest as
> the
> > > user accounts.
> > > >
> > > > Jim
> > > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > Of Jason Jones
> > > > Sent: Monday, May 12, 2008 1:13 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] TMG - Separate Forest?
> > > >
> > > > Just noticed this in the current TMG
documentation...disappointed
> > this
> > > old school
> > > > approach is still recommended :-(
> > > >
> > > > "At the edge, you can install Forefront TMG as a domain member
or
> in
> > > workgroup
> > > > mode. As a domain member, we recommend that you install
Forefront
> > TMG
> > > in a
> > > > separate forest (rather than in the internal forest of your
> > corporate
> > > network), with a
> > > > one-way trust to the corporate forest. This may help the
internal
> > > forest from being
> > > > compromised, even if an attack is mounted on the forest of the
> > > Forefront TMG
> > > > computer. There are some limitations with this deployment. For
> > > example, you can
> > > > configure client certificate authentication only for users
> defined
> > in
> > > the Forefront TMG
> > > > domain, and not for users in the corporate internal domain or
> > forest."
> > > >
> > > > You guys spent much time looking at TMG yet?
> > > >
> > > > JJ
> > > >
> > > >
> > > >
> > > >
> > > > ________________________________
> > > > This email and any files transmitted with it are confidential
and
> > > intended solely for the
> > > > use of the individual to whom it is addressed. If you have
> received
> > > this email in error,
> > > > or if you believe this email is unsolicited and wish to be
> removed
> > > from any future
> > > > mailings, please contact our Support Desk immediately on 01202
> > 360360
> > > or email
> > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > >
> > > > If this email contains a quotation then unless otherwise stated
> it
> > is
> > > valid for 7 days and
> > > > offered subject to Silversands Professional Services Terms and
> > > Conditions, a copy of
> > > > which is available on request. Any pricing information, design
> > > information or
> > > > information concerning specific Silversands' staff contained in
> this
> > > email is
> > > > considered confidential or of commercial interest and exempt
from
> > the
> > > Freedom of
> > > > Information Act 2000.
> > > >
> > > > Any view or opinions presented are solely those of the author
and
> do
> > > not necessarily
> > > > represent those of Silversands
> > > >
> > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > > > Company Registration Number : 2141393.
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
> >
>
>
>
>
>
>
>
Other related posts:
