Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
What's the best ISA Server 2004 Configuration
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
What's the best ISA Server 2004 Configuration - 16.Jun.2005 4:33:00 AM
|
|
|
mbiavati
Posts: 4
Joined: 10.Aug.2004
From: Italy
Status: offline
|
Hi everyone!
My question is: is a good idea installing ISA Server 2004 in a separate forest for security purpose and to use AD for authentication and so on with ISA?
I suggest this scenario: a dedicated server Win2003 STD SP1 with AD, DNS, DHCP Server and ISA Server 2004. Then I'd like to make a on-way trust with the internal AD domain. So I can use the DHCP Server on the firewall to give IP adresses to VPN client (in this way I can control better remote users) and I'm not forced to give to my users credentials different from the ones that they use inside the network, or to use RADIUS authentication (or MIIS that is more expensive...)
What do you think about it? It is possible to make this configuration? There are problems to have AD, DNS, DHCP and ISA 2004 on the same machine (in a dedicated domain only for ISA)?
In the Microsoft ISA Security Hardening Guide, they suggest to make a separate forest for ISA if you want to use AD with it. But they don't specify if AD and ISA can coexist well or if I've to use at least two server, one for AD, DNS and DHCP and one (member of the firewall dedicate domain) for ISA.
Thanks to everyone!
Max.
|
|
|
|
RE: What's the best ISA Server 2004 Configuration - 16.Jun.2005 9:48:00 AM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Max,
I NEVER use that config, but if the MS guide says to do it, they must have a good reason. From my long term analysis and experience, the best configuration is to make the ISA firewall a domain member. There is little or no security risk if the ISA firewall is configured correctly, and you gain immense security benefits. The only exception to this is if you have a back to back ISA firewall configuration. In this case, the FE ISA firewall doesn't need to be a domain member, so there's no reason to make it one.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
