We are working on an upgrade for a legacy firewall environment to ISA 2006. The idea is to have 2x2 ISA Servers in a back-to-back configuration, with a DMZ in-between.
Two important questions remain to go ahead with the design.
For various publishing rules we need AD authentication. What is the most secure option to handle this at the edge firewalls?
Install the edge ISA's in a separate AD forest with a one-way trust to the corporate domain
Install them in a workgroup with an LDAP(S) connection to a corporate AD controller, either on the corporate network or in DMZ (read-only AD controller)
Use a RADIUS server in DMZ, with the edge ISA's in a domain or workgroup
We also need certificate authentication for client VPN. While we can let the clients pass the edge firewalls and handle authentication at the back-end servers for sure, we would also like to know if it can be done at the outer firewalls? Both if those are in a separate AD or in a workgroup. We found the recent article at http://technet.microsoft.com/en-us/library/cc752953.aspx, but it doesn't clearly state if it now makes certificate authentication possible when ISA is in another (or no) AD forest.
In general, in a back to back ISA firewall configuration, I used the front-end firewall array as a stateful packet inspection only solution. This offloads the heavy lifting from the back-end firewall array, and allows you to have a nice anonymous access DMZ between the firewall arrays.
So, I typically put the front-end array into a workgroup, and join the back-end array to the domain.
Certificate authentication is possible on the front-end array using RADIUS.