True, but that's why you need to choose good customers. They hired you to shore up issues with documentation and provide clarification. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > Of Amy Babinchak > Sent: Monday, May 12, 2008 11:45 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: TMG - Separate Forest? > > Yes, but the words are there and that's really all it takes for the > uninformed masses. They have something to point to. Again. > > thanks, > > Amy Babinchak > > > Harbor Computer Services |(248) 850-8616 > > Tech Blog http://securesmb.harborcomputerservices.net > Client Blog http://smalltechnotes.blogspot.com > Website http://www.harborcomputerservices.net > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Monday, May 12, 2008 12:02 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: TMG - Separate Forest? > > The documentation offers suggestions, and points out limitation. So, > those suggestions aren't considered by thoughtful security admins as > commandments. If Active Directory security best practices are used, the > chance of compromise is minute, and as I've demonstrated numerous times, > compromise of the ISA firewall will be the least of your problems :) > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > Of Amy Babinchak > > Sent: Monday, May 12, 2008 10:12 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: TMG - Separate Forest? > > > > As long as the official documentation says otherwise, you're tilting > at > > windmills. If we know better and MSIT knows better, then why doesn't > the > > documentation get fixed? DOD won't buy if it says otherwise? > > > > thanks, > > > > Amy Babinchak > > > > > > Harbor Computer Services |(248) 850-8616 > > > > Tech Blog http://securesmb.harborcomputerservices.net > > Client Blog http://smalltechnotes.blogspot.com > > Website http://www.harborcomputerservices.net > > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Thomas W Shinder > > Sent: Monday, May 12, 2008 10:30 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: TMG - Separate Forest? > > > > Exactly. The guidance as is applies to people who wear hard hats when > > they go outside out of fear that a falling piece from a passing > airplane > > will hit them on their heads. :) > > > > MSIT does it right, and I follow MSIT's model in my deployments. Why > > lose Kerberos Constrained Delegation and other security features out > of > > fear of Comet strikes in the Gulf of Mexico? :)) > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > Of Jim Harrison > > > Sent: Monday, May 12, 2008 8:21 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: TMG - Separate Forest? > > > > > > Actually, that "old-school approach" does limit the threat of > exposure > > for your internal > > > forest. It's not about "if ISA gets compromised" as much as "if an > > account is > > > compromised". > > > If you have the skill and means to build that and can tolerate the > > limits it imposes (no > > > KCD from the edge), then this is a good recommendation. > > > What isn't stated is that this can be one part of a layered ISA > > deployment. > > > FWIW, MSIT deploys ISA / TNG at the edge in the same forest as the > > user accounts. > > > > > > Jim > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > Of Jason Jones > > > Sent: Monday, May 12, 2008 1:13 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] TMG - Separate Forest? > > > > > > Just noticed this in the current TMG documentation...disappointed > this > > old school > > > approach is still recommended :-( > > > > > > "At the edge, you can install Forefront TMG as a domain member or in > > workgroup > > > mode. As a domain member, we recommend that you install Forefront > TMG > > in a > > > separate forest (rather than in the internal forest of your > corporate > > network), with a > > > one-way trust to the corporate forest. This may help the internal > > forest from being > > > compromised, even if an attack is mounted on the forest of the > > Forefront TMG > > > computer. There are some limitations with this deployment. For > > example, you can > > > configure client certificate authentication only for users defined > in > > the Forefront TMG > > > domain, and not for users in the corporate internal domain or > forest." > > > > > > You guys spent much time looking at TMG yet? > > > > > > JJ > > > > > > > > > > > > > > > ________________________________ > > > This email and any files transmitted with it are confidential and > > intended solely for the > > > use of the individual to whom it is addressed. If you have received > > this email in error, > > > or if you believe this email is unsolicited and wish to be removed > > from any future > > > mailings, please contact our Support Desk immediately on 01202 > 360360 > > or email > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > If this email contains a quotation then unless otherwise stated it > is > > valid for 7 days and > > > offered subject to Silversands Professional Services Terms and > > Conditions, a copy of > > > which is available on request. Any pricing information, design > > information or > > > information concerning specific Silversands' staff contained in this > > email is > > > considered confidential or of commercial interest and exempt from > the > > Freedom of > > > Information Act 2000. > > > > > > Any view or opinions presented are solely those of the author and do > > not necessarily > > > represent those of Silversands > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > >