Comments on: Putting the ISA and TMG Firewall in a Trusting Domain http://blogs.isaserver.org/shinder/2008/05/12/putting-the-isa-and-tmg-firewall-in-a-trusting-domain/ Written by Dr Thomas W Shinder, consultant to Microsoft, HP and many Fortune 500 companies on ISA firewall and Web proxy deployments this blog is where administrators get information about ISA Server Universal Threat Management firewalls. Topics include how to manage, deploy, and troubleshoot ISA Server as a network firewall, Web proxy/Web cache, remote access VPN server and VPN gateway to provide a high level of network security for all corporate computers. Sat, 30 Aug 2008 01:07:49 +0000 http://wordpress.org/?v=MU by: tshinder http://blogs.isaserver.org/shinder/2008/05/12/putting-the-isa-and-tmg-firewall-in-a-trusting-domain/#comment-182483 Wed, 14 May 2008 15:57:33 +0000 http://blogs.isaserver.org/shinder/2008/05/12/putting-the-isa-and-tmg-firewall-in-a-trusting-domain/#comment-182483 Hi Jason, Exactly. That's the "take home" message. There are no "right answers" there a good, better and best, and that depends on the customer's resources and requirements. Thanks! Tom Hi Jason,

Exactly. That’s the “take home” message. There are no “right answers” there a good, better and best, and that depends on the customer’s resources and requirements.

Thanks!
Tom

]]> by: Jason Jones http://blogs.isaserver.org/shinder/2008/05/12/putting-the-isa-and-tmg-firewall-in-a-trusting-domain/#comment-182459 Wed, 14 May 2008 14:43:30 +0000 http://blogs.isaserver.org/shinder/2008/05/12/putting-the-isa-and-tmg-firewall-in-a-trusting-domain/#comment-182459 Hi Tom, Always happy to provide consultancy if customers need it, good rates offered :-) One of the key things Jim mentioned was that the separate forest model is not designed to protect in the event that ISA is compromised, but more in the event that an administrative user account is compromised. If this is a big worry then a separate forest makes sense (like does using a separate forest to store external non-employee user accounts) however people often think that the extra forest needs to be created because ISA can't be trusted, which as you know given all possible weaknesses in a security design, ISA is likely to be one of the the stronger links in the chain...not the weakest... As ever there is no "right answer" just lots of possible options that need to be considered and matched to the exact requirements. Cheers JJ Hi Tom,

Always happy to provide consultancy if customers need it, good rates offered :-)

One of the key things Jim mentioned was that the separate forest model is not designed to protect in the event that ISA is compromised, but more in the event that an administrative user account is compromised. If this is a big worry then a separate forest makes sense (like does using a separate forest to store external non-employee user accounts) however people often think that the extra forest needs to be created because ISA can’t be trusted, which as you know given all possible weaknesses in a security design, ISA is likely to be one of the the stronger links in the chain…not the weakest…

As ever there is no “right answer” just lots of possible options that need to be considered and matched to the exact requirements.

Cheers

JJ

]]>