[isapros] Re: Using ISA Server to Extend Server and Domain Isolation Interoperability
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Sat, 2 Feb 2008 07:30:19 -0800
It's not - especially if your customer is looking for a "follow the bouncing
ball" deployment doc.
The same is true of deploying ISA on a DC; while the firewall policies to
support basic domain traffic are "technically feasible", the variations on the
theme are large and complex. The primary problems come from what people attach
to the deployment (DCOM-based services such as remote MMC, etc.).
Some of you may recall the "troubleshooting unsupported configurations" new
verbiage added late last year to address the "ISA on a DC" scenario. This
change had one goal - to preserve the sanity of our front-line CSS folks and
their tech leads. The number of "why is my domain trashed?" calls they receive
on a monthly basis is literally ridiculous. Each and every one of them would
insert "SBS does it..." somewhere in the conversation as a point of
justification, clearly not realizing the amount of work involved with making
this function at all; much less properly (not to mention the "wizarded
wizards"). The fact that the cost for their OS, apps & ISA individual licenses
was far larger than SBS and fell outside most apps' support matrices were not
arguable points with them, either.
It's true that some folks are clue++ for such deployments and lay them down
with relative ease, but the vast majority of folks attempting this treat it
like they're installing Office apps and so we had to "put on the brakes".
Jim
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Stefaan Pouseele
Sent: Saturday, February 02, 2008 2:37 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Using ISA Server to Extend Server and Domain Isolation
Interoperability
Not very promising :-(
Thanks,
Stefaan
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: vrijdag 1 februari 2008 16:00
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Using ISA Server to Extend Server and Domain
Isolation Interoperability
It's achievable, all right, but you're also right in that it requires deep
analysis and planning on a level which most customers aren't willing or able
to engage - especially the "pushdabutton" crowd.
There are also hard-blocks to such designs, such as how you manage the
boundary (request mode) hosts. In an environment where a significant number
of machines cannot play in the IPSec game (think test labs, etc.), you have
to provide a means for them to access external resources. In many
deployments, this means duplicating a lot of file/web services across
boundary machines.
The trade-offs are many and the effort & maintenance is far from simple, but
the rewards are humungo.
Jim
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Friday, February 01, 2008 6:47 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Using ISA Server to Extend Server and Domain
Isolation Interoperability
I remember looking at this document when it first came out and not being
greatly impressed.
TBH I am sceptical of the whole server and domain isolation model as from my
experience it is actually very hard if not impossible to put the design into
practice unless the customers is willing to spend an awful lot of money to
invest in the time needed to define all the necessary elements. I've always
like the "security clarity" of this approach, but often fallen at the first
hurdle when looking at implementation.
Most companies (outside of MS corp) just don't seem to know enough about
their own infrastructure/environment to even begin looking at the SDI model
- often, it is hard enough trying to do internal firewalling with ISA Server
and that is just for a small subset of applications!!
Have anyone actually implemented an SDI design for a customer? Am I way off
base here or it is actually achievable???
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Stefaan Pouseele
Sent: 30 January 2008 14:19
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Using ISA Server to Extend Server and Domain Isolation
Interoperability
Hi,
did anyone study are try out the guide
http://www.microsoft.com/downloads/details.aspx?FamilyID=589fcf8e-0511-4c22-
a39e-6b841dd3c74f&displaylang=en ?
I'm just starting to read it and it seems not to be very consistent! :-(
If I got it right the External network is the IPsec world (Isolation Domain)
and the Internal network is the non-IPsec world. The ISA is member of the
Isolation Domain.
I would expect a NAT relationship from the Internal network (non-IPsec
world) to the External network (IPsec world). However the procedure given
seems to reverse the direction!?!?
Further down the guide there is IMHO more inconsistentcy when they talk
about "Creating a Server Publishing Rule".
Hmm... I'm missing something???
Best Regards,
Stefaan
MVP ISA Server
http://www.isaserver.org/Stefaan_Pouseele/
http://blogs.isaserver.org/pouseele/
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited
and wish to be removed from any future mailings, please contact our Support
Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid
for 7 days and offered subject to Silversands Professional Services Terms
and Conditions, a copy of which is available on request. Any pricing
information, design information or information concerning specific
Silversands' staff contained in this email is considered confidential or of
commercial interest and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
Other related posts:
