Comments on: ISA Firewall Freedom Day Declared

by: Tom Shinder

Tue, 02 Oct 2007 11:42:40 +0000

Hi Sammi,

No! The trusted domain gambit is not more secure. In fact, it probably is less secure overall becuase of the complexity. Also, the support statement is what is says — you must not install the ISA Firewall on a DC. Yes, the ISA Firewall should be a domain member of your user domain, but the ISA Firewall should not be installed on a DC.

by: sammi

Tue, 02 Oct 2007 04:20:02 +0000

I vaguely remember discussion about ‘installing ISA in a separate domain with a trust’ as being more secure. Would appreciate some help here please. Should this have been ‘installing ISA on a server that is not a domain controller in a separate domain’?

by: pie8ter

Mon, 24 Sep 2007 12:59:18 +0000

Vitalhostage,

I couldn’t agree with you more!

If Microsoft is serious about their firewall product, they would integrate ISA with the operating system itself and offer it as an edition. The operating system should be optimized for the firewall. This means no outlook express, mine sweeper, paint, solitaire and all the unnecessary programs. MS should include IE lite (like Firefox) with very little foot print.

If it wasn’t for people like Dr. Shinder and others in this forum, I serioulsy doubt that this “add-on” MS firewall product would be widely used as it is now.

by: vitalhostage

Tue, 18 Sep 2007 20:38:42 +0000

I think the placement of ISA servers appears to be a slightly nefarious issue because often it is misconstrued as being a service and not necessarily a server within peoples networks, and thus people decide on its placement without giving proper consideration to that fact it is a fundamental firewall product. People seem to be swayed into thinking that ISA just needs to sit on a Windows server somewhere and not on a dedicated server. Hence why unknowing IT admins and managers suggest putting ISA onto servers where they have room to do fit it, rather than try to justify the expense to the board that we need this on a new dedicated piece of hardware. This is why there are responses to the start of this thread stating that they have ISA working on a Domain Controller and its all ok. It’s a bit like dousing yourself in petrol and then deciding to have a cigarette. yes its possible, but it is a good idea? Let me know from the burns unit if it was getting flamed from your boss that put you there or having your favourite brand of tobacco.

by: Alex

Mon, 17 Sep 2007 19:02:51 +0000

Hello.,

I have ISA on a Domain Controler, cause is the only spare computer that i have, the only things that don´t work are the wins server and W32Time Service, have some issues with the internal Network Cards, besides that, i don´t have any problems on it, but soon i will buy another computer to make it the right way…

Alex

by: Tom Shinder

Sat, 15 Sep 2007 14:16:29 +0000

Hi Phil,

Yes, you are missing something.

The ISA Firewall SHOULD be a domain member for security reasons.

However, the ISA Firewall MUST NEVER be installed on a domain controller.

HTH,
Tom

by: Phil

Fri, 14 Sep 2007 17:43:36 +0000

I am confused about something. You wrote an article dated June 20, 2006 that discusses ISA server Domain membership and from what I read you are recommending the Domain.

Am I missing something?

by: Ricky Magalhaes

Wed, 12 Sep 2007 16:26:57 +0000

I agree with Tom, its extremely poor practice, if you only have one server that is poor practice too as you have no resilience for the solution, at very minimum there should be two DC’s having only one in a commercial environment is introducing problems.

Many people may disagree but at the end of the day the fact remains best practise is there to be followed by those that have the budget and that want their systems to work as intended.

Poor practice is another story, no one will thank you for implementing shoddy solution

by: Crc64

Wed, 12 Sep 2007 06:44:46 +0000

If you have only one physical server, then use virtual machines It’s really bad scenario to place ISA on something. It must be standalone, otherwise you will get some headaches when ISA lockdowns.

by: Jeff

Tue, 11 Sep 2007 19:59:37 +0000

What do you do if you only have a single server scenario?