Not very promising :-( Thanks, Stefaan -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: vrijdag 1 februari 2008 16:00 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Using ISA Server to Extend Server and Domain Isolation Interoperability It's achievable, all right, but you're also right in that it requires deep analysis and planning on a level which most customers aren't willing or able to engage - especially the "pushdabutton" crowd. There are also hard-blocks to such designs, such as how you manage the boundary (request mode) hosts. In an environment where a significant number of machines cannot play in the IPSec game (think test labs, etc.), you have to provide a means for them to access external resources. In many deployments, this means duplicating a lot of file/web services across boundary machines. The trade-offs are many and the effort & maintenance is far from simple, but the rewards are humungo. Jim -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Friday, February 01, 2008 6:47 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Using ISA Server to Extend Server and Domain Isolation Interoperability I remember looking at this document when it first came out and not being greatly impressed. TBH I am sceptical of the whole server and domain isolation model as from my experience it is actually very hard if not impossible to put the design into practice unless the customers is willing to spend an awful lot of money to invest in the time needed to define all the necessary elements. I've always like the "security clarity" of this approach, but often fallen at the first hurdle when looking at implementation. Most companies (outside of MS corp) just don't seem to know enough about their own infrastructure/environment to even begin looking at the SDI model - often, it is hard enough trying to do internal firewalling with ISA Server and that is just for a small subset of applications!! Have anyone actually implemented an SDI design for a customer? Am I way off base here or it is actually achievable??? -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele Sent: 30 January 2008 14:19 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Using ISA Server to Extend Server and Domain Isolation Interoperability Hi, did anyone study are try out the guide http://www.microsoft.com/downloads/details.aspx?FamilyID=589fcf8e-0511-4c22- a39e-6b841dd3c74f&displaylang=en ? I'm just starting to read it and it seems not to be very consistent! :-( If I got it right the External network is the IPsec world (Isolation Domain) and the Internal network is the non-IPsec world. The ISA is member of the Isolation Domain. I would expect a NAT relationship from the Internal network (non-IPsec world) to the External network (IPsec world). However the procedure given seems to reverse the direction!?!? Further down the guide there is IMHO more inconsistentcy when they talk about "Creating a Server Publishing Rule". Hmm... I'm missing something??? Best Regards, Stefaan MVP ISA Server http://www.isaserver.org/Stefaan_Pouseele/ http://blogs.isaserver.org/pouseele/ This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393.