Comments on: Installing the ISA Firewall in a Trusting Domain - Think Again http://blogs.isaserver.org/shinder/2008/06/17/installing-the-isa-firewall-in-a-trusting-domain-think-again/ Written by Dr Thomas W Shinder, consultant to Microsoft, HP and many Fortune 500 companies on ISA firewall and Web proxy deployments this blog is where administrators get information about ISA Server Universal Threat Management firewalls. Topics include how to manage, deploy, and troubleshoot ISA Server as a network firewall, Web proxy/Web cache, remote access VPN server and VPN gateway to provide a high level of network security for all corporate computers. Fri, 21 Nov 2008 03:32:57 +0000 http://wordpress.org/?v=MU by: tshinder http://blogs.isaserver.org/shinder/2008/06/17/installing-the-isa-firewall-in-a-trusting-domain-think-again/#comment-189460 Wed, 18 Jun 2008 14:43:31 +0000 http://blogs.isaserver.org/shinder/2008/06/17/installing-the-isa-firewall-in-a-trusting-domain-think-again/#comment-189460 Hi Jason, Excellent points! I completely forgot about the KCD feature. But like I said and as you reinforced, you have to look at the entire security landscape before making any hard and fast decisions. That's what we get paid the big money for! :D Thanks! Tom Hi Jason,

Excellent points! I completely forgot about the KCD feature.

But like I said and as you reinforced, you have to look at the entire security landscape before making any hard and fast decisions. That’s what we get paid the big money for! :D

Thanks!
Tom

]]> by: Jason Jones http://blogs.isaserver.org/shinder/2008/06/17/installing-the-isa-firewall-in-a-trusting-domain-think-again/#comment-189414 Wed, 18 Jun 2008 11:46:25 +0000 http://blogs.isaserver.org/shinder/2008/06/17/installing-the-isa-firewall-in-a-trusting-domain-think-again/#comment-189414 Hi Tom, You also lose the ability to use Kerberos Contrained Delegation (KCD) which is a key features of ISA Server when used in Active Directory environment, even if certificates are not in use. As you know, KCD currently only works cross-domain and not cross-forest, so by placing ISA in a separate forest, you also lose the ability to use KCD for published servers in the user forest. You also need to consider the relative complication introduced by this model as this could acutally reduce security if people are not fully aware of the secure deployment options (and appropriate mitigations) when using forest trusts. Given all of the above, I would tend to agree with your conclusion... However, I have seen this solution work well when you are using ISA to specifically protect an extranet which is using a separate forest architecture. In this design, making ISA a member of the extranet forest is the correct thing to do as the servers being published are also in the same forest. In this sceanrio, the lack of internal forest KCD is acceptable as the servers you likely need KCD for are in the extarnet forest anyhow, which will work just fine. Cheers JJ Hi Tom,

You also lose the ability to use Kerberos Contrained Delegation (KCD) which is a key features of ISA Server when used in Active Directory environment, even if certificates are not in use.

As you know, KCD currently only works cross-domain and not cross-forest, so by placing ISA in a separate forest, you also lose the ability to use KCD for published servers in the user forest.

You also need to consider the relative complication introduced by this model as this could acutally reduce security if people are not fully aware of the secure deployment options (and appropriate mitigations) when using forest trusts.

Given all of the above, I would tend to agree with your conclusion…

However, I have seen this solution work well when you are using ISA to specifically protect an extranet which is using a separate forest architecture. In this design, making ISA a member of the extranet forest is the correct thing to do as the servers being published are also in the same forest. In this sceanrio, the lack of internal forest KCD is acceptable as the servers you likely need KCD for are in the extarnet forest anyhow, which will work just fine.

Cheers

JJ

]]>