I have been playing around with ISA 2K6 and getting on ok with it. Have been reading the docs/articles on deployment and can t find all the answers, wondering if someone can help:
Main task: Web publishing to external company down private link from domain 1 (I have two seperate domains). If I put the ISA in a DMZ, have it as a member of domain one and publish the site should be no issue with FQDN etc same domain.
1: If I then need to publish web sites from domain 2 (no trust/connection between domain 1 & 2) will I run into issues from the DNS/domain point of view of a domain 1 joined ISA publishing from a domain 2 server.
2: Or do I setup the ISA as its own domain and use trusts for the domains to publish sites, or will this give me additional issues?
PS: Also an oversight when I signed up, can I get my username changed
ISA needs to be a Domain Member of the Domain containing the users that will be using it.
Two Domains is always a disaster,...two Domains without a Trust is just armagedon.
Domain membership: We intended to create the AD users for external comapny 1 in our AD and let them hit the front end of the ISA for the web site, so all good.
I see the point with 2 domains, just needed a solid answer as they are dragging their feet with paying for more ISA boxes for other domain if needed.
So back to where I started (this ISA is in a protected DMZ, non internet facing) drop the comapny 1 connections into DMZ through external firewall, publish web sites through ISA, ISA being a domain member. If they want more then we buy another server.
Thanks.
< Message edited by FudNut -- 9.Jun.2010 5:59:06 AM >
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
ISA should not be in a DMZ. In fact it is impossible to be in a DMZ unless it is a single Nic "worthless" mode ISA. When ISA has two or more Nics then it,..by definition,...become an Edge Device,...so it could "touch" a DMZ by being on the "edge" of the DMZ,...but it cannot be "in" the DMZ.
Personally I never use DMZs. DMZs don't protect,..they complicate. The purpose of the DMZ is to lessen the protection of what is in them. To fully protect something you keep it on the LAN
Very Low protection = Locate resource directly on the Public segment Mild protection = Locate resource in a DMZ Fully protect = Locate resource on the LAN
ISA should not be in a DMZ. In fact it is impossible to be in a DMZ unless it is a single Nic "worthless" mode ISA. When ISA has two or more Nics then it,..by definition,...become an Edge Device,...so it could "touch" a DMZ by being on the "edge" of the DMZ,...but it cannot be "in" the DMZ.
OK, I will clarify: DMZ in this case is the separate LAN segment the external int of the ISA will be on, not a true DMZ just how I referred to it because my external client will drop into this segment not my internal LAN. In other words I don’t want direct connection from company A to my internal LAN. So your wording is correct, touching a DMZ not in :-)
So the setup is possible but not recommended as per pwindell's comments. So I'm sticking with ISA as a domain 1 member server and edge device publishing a site to external AND if domain 2 comes into play there is a solution (using single ISA) but just as equally deploying another separate ISA for domain 2 will give me full functionality and keep things simpler.
One further question if you don't mind. The website to be published is SharePoint, however the test site for initial testing is a simple webpage on an IIS box (SharePoint not ready yet) I do understand there are a little more to the SharePoint AAM's etc in terms of setup. But can I prove the basic publish and login to a site from ext using this setup? Or will it give me false reading for the actual SharePoint testing?
If this is OK can I just use the SharePoint publishing wizard for the test non SharePoint site? Or do I have to create the entire objects/rules/filters etc manually/separately?
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
I wouldn't say "not recommended"
It is recommended to make ISA a domain member; if you have multiple forests/domains it can only be a member of one domain. If you have trusts in place between forests/domains then ISA can take advantage of the trust relationship when performing authentication.
If you do not have trusts in places then the LDAP option is the only way to achieve authentication to the "other" non-local forest/domain. Creating a new forest for ISA and then seting up trusts to each of the existing forests is a possible model, but not generally recommended in reality.
Yes, deploying ISA in each forest is also a valid option, if more costly.
In terms of authentication and delegation, yes, it should provide a good indication of your publishing rules. Using the SharePoint wizard should be fine even for a generic IIS website. You will need to configure IIS to use Windows Auth to properly simulate NTLM delegation though.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Need some guidance ISA 2K6 
Need some guidance ISA 2K6 - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread