• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Best practices for domain-joined ISA server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Best practices for domain-joined ISA server Page: [1]
Message << Older Topic   Newer Topic >>
Best practices for domain-joined ISA server - 14.Nov.2008 6:58:42 AM   


Posts: 1
Joined: 14.Nov.2008
Status: offline

I currently have a unihomed ISA server in a workgroup in the perimeter network.  The ISA server is primarily used to publish Exchange 2007 OWA and ActiveSync, and also TS Gateway.  I would like to explore certificate based authentication and also NTLM authentication for Outlook Anywhere, which require the ISA server to be a domain member.

However, I'm having trouble finding resources which outline the best practices to acheive this, and I'm having trouble convincing hte firewall guys that this is the way to go.

Are there any Microsoft (i.e. TechNet) guides which explain the best practice configuration for deploying a domain-joined ISA server?

Our current network configuration is this:

Internet <-> External Firewall <-> ISA Server <-> Internal Firewall <-> Internal network

I'm open to dual-homing the ISA server in the DMZ and internal network, or outright moving the ISA server to the internal network, but I really need some documentation to point me on the right path.

Thanks in advance,

Post #: 1
RE: Best practices for domain-joined ISA server - 14.Nov.2008 10:03:22 AM   
Jason Jones


Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi Ben,

Best practice IMHO would be to place ISA in parallel to your existing internal firewall or "bridge it" between a DMZ and the LAN. These may actually be the same thing depending upon whether you class the area between your external and internal firewall as the DMZ, or whether you are referring to a dedicated DMZ interface on one of the existing firewalls.

Here is an MS article that talks about 'DMZ=>LAN bridging mode' for ISA:


ISA provides the best protection by being placed closest to the assets your are protecting - domain membership further strenghtens this security by allowing ISA to use its in-built applications filters to best affect (RPC, DNS which are relevant for AD comms) and also provide strong authentication with things like KCD and cert auth. 




Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to benlye)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Best practices for domain-joined ISA server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts