ISA server at DMZ to join DC in internal network

From: Carlos (wt_know_at_hotmail.com)
Date: 12/28/04

• Next message: m_at_xp: "Re: Windows Messenger over VPN thru ISA Server"
• Previous message: Andrei G: "slow performance - weird behaviour"
• Next in thread: Thomas W Shinder [MVP]: "Re: ISA server at DMZ to join DC in internal network"
• Reply: Thomas W Shinder [MVP]: "Re: ISA server at DMZ to join DC in internal network"
• Messages sorted by: [ date ] [ thread ]

---

Date: Tue, 28 Dec 2004 16:53:59 +0800

Hi,

I have ISA 2004 server in DMZ. I wish to controll the "policy" in ISA based
on AD users/groupings and many other things. I "have to" join the ISA server
to internal domain controller for it to work.

I have several domain controllers in the internal network. I opened the
firewall to allow the ISA server to join one of the DC that has "no
critical" files reside in it.

Is it SILLY to allow a DMZ machine to join internal network which defeat the
purpose of separating DMZ with internal network ? If I do not do so, how
could I control the ISA policy base on users, groups, OU and many other
things ?

Alternatively, I can setup a DC in the DMZ. Open the firewall for this DMZ's
DC to connect to internal DC. The ISA server will use the DMZ's DC. Does
this sound safer ?

In order for outsiders to penetrate to the internal network, he has to
exploit the ISA server first and run "trojans" in the ISA server as I only
open the firewall for DMZ internal ip to one of the DC server only. The only
server that is compromise is the DC and not my entire internal network right
?

Anyone here use ISA 2004 in DMZ and join to internal domain for whatever
reasons ?

Thanks

Carlos.

---

• Next message: m_at_xp: "Re: Windows Messenger over VPN thru ISA Server"
• Previous message: Andrei G: "slow performance - weird behaviour"
• Next in thread: Thomas W Shinder [MVP]: "Re: ISA server at DMZ to join DC in internal network"
• Reply: Thomas W Shinder [MVP]: "Re: ISA server at DMZ to join DC in internal network"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Where do I put Exchange Server? ... I'm not sure of OWA can be front-ended by a lone IIS server; again, the DMZ ... isn't the right place for it with ISA 2000. ... > its internal network only. ... (microsoft.public.isa.configuration) Re: Netzschema ... Wir verfolgen seit ISA 2000 den Ansatz ohne DMZ und haben jeweils auf der Internet- als auch auf der LAN-Seite Snort Sensoren. ... Stell doch deinen OWA Server in die Domain und publishe SMTP und OWA durch den ISA Server. ... (microsoft.public.de.german.isaserver) [fw-wiz] Exchange 2003 OWA compromise reached ... Thanks to all for your answers to my questions regarding Exchange 2003 OWA. ... Since we also want to move our ftp server onto a separate DMZ away from our ... we will attach the Microsoft ISA server outside interface to the ... (Firewall-Wizards) Re: Best Practices for exposing Exchange to web ... You suggest setting up a ISA server in the DMZ so I have a few questions. ... >>We are in the process of migrating to Exchange server and I am ... (microsoft.public.exchange.admin) Re: Where do I put Exchange Server? ... DMZ in ISA Server 2004? ... Speaking of ISA Server 2004, I saw some screen shots of it. ... > its internal network only. ... (microsoft.public.isa.configuration)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isaserver  > 2004-12