Thanks for the clarification Jim... Does the following KB http://support.microsoft.com/kb/942637/ fix the KCD issue, or this just for multiple domains in a single forest? If so, lack of KCD would be enough to put me off as this feature is great :) -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 12 May 2008 14:21 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: TMG - Separate Forest? Actually, that "old-school approach" does limit the threat of exposure for your internal forest. It's not about "if ISA gets compromised" as much as "if an account is compromised". If you have the skill and means to build that and can tolerate the limits it imposes (no KCD from the edge), then this is a good recommendation. What isn't stated is that this can be one part of a layered ISA deployment. FWIW, MSIT deploys ISA / TNG at the edge in the same forest as the user accounts. Jim -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Monday, May 12, 2008 1:13 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] TMG - Separate Forest? Just noticed this in the current TMG documentation...disappointed this old school approach is still recommended :-( "At the edge, you can install Forefront TMG as a domain member or in workgroup mode. As a domain member, we recommend that you install Forefront TMG in a separate forest (rather than in the internal forest of your corporate network), with a one-way trust to the corporate forest. This may help the internal forest from being compromised, even if an attack is mounted on the forest of the Forefront TMG computer. There are some limitations with this deployment. For example, you can configure client certificate authentication only for users defined in the Forefront TMG domain, and not for users in the corporate internal domain or forest." You guys spent much time looking at TMG yet? JJ ________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393. This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393.