Re: ISA server at DMZ to join DC in internal network

From: Thomas W Shinder [MVP] (tshinder_at_hotmail.com)
Date: 12/30/04 

Date: Wed, 29 Dec 2004 22:37:10 -0600

Hi Carlos,

And how are those trojans going to get on the ISA firewall? Only if you
allow admins to use the ISA firewall as a workstation. Otherwise, only gross
misconfiguration could lead to this condition.

I always join my back-end ISA firewalls to the domain to take advantage of
the significant security benefits from domain membership (firewall client,
pre-authentication, etc)

HTH, 

-- 
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
"Carlos" <wt_know@hotmail.com> wrote in message
news:uiL7drL7EHA.1204@TK2MSFTNGP10.phx.gbl...
: Hi,
:
: I have ISA 2004 server in DMZ. I wish to controll the "policy" in ISA
based
: on AD users/groupings and many other things. I "have to" join the ISA
server
: to internal domain controller for it to work.
:
: I have several domain controllers in the internal network. I opened the
: firewall to allow the ISA server to join one of the DC that has "no
: critical" files reside in it.
:
: Is it SILLY to allow a DMZ machine to join internal network which defeat
the
: purpose of separating DMZ  with internal network ? If I do not do so, how
: could I control the ISA policy base on users, groups, OU and many other
: things ?
:
: Alternatively, I can setup a DC in the DMZ. Open the firewall for this
DMZ's
: DC to connect to internal DC. The ISA server will use the DMZ's DC. Does
: this sound safer ?
:
: In order for outsiders to penetrate to the internal network, he has to
: exploit the ISA server first and run "trojans" in the ISA server as I only
: open the firewall for DMZ internal ip to one of the DC server only. The
only
: server that is compromise is the DC and not my entire internal network
right
: ?
:
: Anyone here use ISA 2004 in DMZ and join to internal domain for whatever
: reasons ?
:
: Thanks
:
: Carlos.
:
:

Relevant Pages

  • Re: Allow all IP traffic between Internal Subnets
    ... Both subnets are defined in the Internal network on the ISA server. ...
    (microsoft.public.isa)
  • Re: ISA Server 2004 with one NIC on DMZ
    ... What happens when you install a second NIC in the ISA firewall and then ... Tom and Deb Shinder's Configuring ISA Server 2004 ... server on dmz that resolves internet web sites. ...
    (microsoft.public.isa)
  • Re: Cannot Access the Web
    ... One of my internal networks is on the same subnet as the ISA ... localhost and internal network to external allowing all users. ... Being ble to resolve names does not mean the DNS is rigged up properly. ... Troubleshooting Client Authentication on Access Rules in ISA Server 2004 ...
    (microsoft.public.isa)
  • Re: Script Internal Ranges
    ... I have two interfaces on ISA. ... internal network via another firewall. ... The ext interface on the ISA server is linked by a dodgy dsl line. ... Microsoft Internet Security & Acceleration Server: Partners ...
    (microsoft.public.isa)
  • Re: ISA 2004 Server as Domain Member/Controller ?
    ... to own the ISA firewall, and whether the ISA firewall is a member of the ... I recommend that you make the ISA firewall a domain member -- the level ... Tom and Deb Shinder's Configuring ISA Server 2004 ...
    (microsoft.public.isa)