Re: ISA 2004 Deployment Scenario

I think you are misinterpreting what you read. What that MS article
ultimately says is that having the CSS on an edge device can lead to
problems with the entire array of ISA Enterprise servers, if the edge device
hosting CSS is compromised - because in that case the CSS can become
unavailable which will create big issues with the rest of the ISA EE servers
that rely on it.

However, this is only a concern with environments running multiple ISA
servers: if you plan to deploy a single instance of ISA 2004 EE, I think you
will agree that if that instance gets compromised having the CSS on a
different server won't mean much to you, security-wise.

And for environments running multiple ISA 2004 EE servers (configured in an
array) it would be bad planning anyway to have just one CSS for the entire
array. Good design practice is to create at least one (or several -
depending on your needs) replica of the primary CSS. If something happens
with the primary CSS all the servers in the array(s) can be quickly
re-pointed to the remaining replica(s).

Bottomline is that you don't have to take any 'extra' steps to protect CSS
if installed on an edge-device: just make sure that your design and
configuration are correct, your rules are as tight as they can be, your
configuration is always up to date, and so on. That's all the protection you
need.

Virgil




<Rohit.Kanchan@xxxxxxxxx> wrote in message
news:1133291635.073426.94890@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> thanks, may be there are performance variables too but not fully agreed
> with analysis.....this is what microsoft on technet
>
> http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
>
> says.....
>
> "......You can also securely install ISA Server on one of the computers
> running ISA Server services in the ISA Server array. However, recognize
> that any computer that serves as a firewall is a target for attacks.
> Therefore, a Configuration Storage server installed on a computer
> running ISA Server services on the edge of a network is a target for
> attacks........"
>
> so again the question arises what measures should we have to take to
> protect the server if we want to deploy the 2k4 on the edge?
>


.

Relevant Pages

  • Re: ISA 2004 unmanageable
    ... loss of the only remaining CSS is cause for a complete nuke & pave. ... Jim Harrison (ISA SE) ... Server 2003 SP2 with remote Configuration Storage Server. ... under Arrays in ISA Admin. ...
    (microsoft.public.isa.enterprise)
  • Re: CIsco CSS and ISA 2004 Problem
    ... ISA 2004 server, the CSS is load balancing a web farm but one of the ... The CSS seems to see the ISA server as one connection and as a result ...
    (comp.dcom.sys.cisco)
  • RE: Migrate ISA Server 2004 to a different hardware
    ... only now I understand that CSS and ISA services are ... But i am wondering why CSS and ISA Server services ... You can install ISA 2004 EE on the new hardware and choose it to be part of ...
    (microsoft.public.isa.configuration)
  • RE: Migrate ISA Server 2004 to a different hardware
    ... I want to migrate everything to the new hardware. ... I assumed that you are already having CSS and ISA ... But i am wondering why CSS and ISA Server services ...
    (microsoft.public.isa.configuration)
  • RE: Sercond ISA on SBS Member Server
    ... ISA on a SBS member server. ... Without a good backup, it's difficult to have the server ... - This is often used for ISA server configuration recovery. ...
    (microsoft.public.windows.server.sbs)