In out test environment, the internal AD structure is a forest with ROOT domain and several CHILD domains.
I need to set up an ISA architecture on 2 levels: front end (edge) which leads to a dmz where there are web servers and terminal servers; bck end (separating the dmz from the real infrastructure) where there are the domain controllers, the db servers...
Both front end nd back end ISAs need to be configured in NLB (for high availability).
Some questions: 1) Active Directory: 3 possible options - Create a domain for ISA in the actual (a child for ROOT) - Create a domain for ISA as separate and set up a trust - Create a domain for isa as separate and access current domains via LDAP (as far s I understood a new feature in ISA 2006)
Which is the best option, i.e. the most secure and flexible.
2) After the edge ISA there are several subtnets, belonging to different environments, which should not route among themselves, but only on specific conditions (protocols) managed by ISA. All of these needtworks need to talk to the "public" internet.
Which option is best: have several phisical nics on the edge firewall or just one nic with several IPs (note: edge is a VM on ESX 3, so there are no issues on adding more Vnics).
From: United Kingdom
Can see where Tom is heading here...I will also defer my response until you get chance to answer.
As for the NICs, ISA needs a NIC per network definition so you will need seperate NICs for each of thre security zones you are planning on using. This is a nice setup that provides a good "least privilege" approach...