Comments on: ISA Server Branch Office Policies Best Practices: ISA Server co-location with a domain controller

by: Office Rental Space

Mon, 13 Oct 2008 17:01:45 +0000

I\’m not a big fan of the concept of dual deployment since I deem it necessary for each DC to have it\’s own firewall ingeniousness to the others in a enterprise unless top-level execs and/or senior techs need another way into systems that have been compromised. I\’m not saying that ISA itself is garbage because it really isn\’t. It\’s just that there\’s little or no room for error when deploying it. Until they work out all the kinks, I don\’t see a problem with setting up the firewall separate from dc configurations.

by: Jim Harrison

Thu, 04 Sep 2008 15:21:59 +0000

for Ian -
- the bad news is that ISA doesn’t install; much less run on WS08.
- the good news is that the traffic profiles defined in that article can be used regardless of whether ISA or TMG are co-located iwth the DC or merely another guest in that deployment.

Given the licensing freedom offered for Hyper-V deployments, I really don’t see the value in a co-located deploment.

by: Thomas Shinder

Thu, 04 Sep 2008 15:04:42 +0000

It does that to me too

Thanks!
Tom

by: Jim Harrison

Thu, 04 Sep 2008 15:01:43 +0000

You’re right; I suspect the Percocet is making things a bit fuzzy.

by: Thomas Shinder

Thu, 04 Sep 2008 11:43:36 +0000

Hey Jim,

I think we agree — you said that the article provides the groundwork for “don’t be stupid” - I essentially say the same thing in a more long winded way:

“Why would Microsoft write such an article? Because the fact is that people have been installing the ISA firewall on branch office domain controllers. While Microsoft can’t come out and say “hey, this is a great idea” any more than parents and teachers can say to kids “hey kids, its a great thing that you run with scissors in your hands”, the fact is that kids will run with scissors in their hands, and admins will install the ISA firewall on a branch office domain controller. So, as responsible adults, we need to round the ends of the kid’s scissors and “round the edges” of the firewall policies on the branch office domain controller that also hosts an ISA firewall.”

Agreed?

Thanks!
Tom

by: Jim Harrison

Thu, 04 Sep 2008 05:37:38 +0000

I’m actually quite surprised at your response to this article, Tom.
You know exactly why we wrote it - to provide the ground work for a “don’t be stupid” support policy. Although you can’t tell from the publishing dates, this article predates the Hyper-V article by some months. Now that there is prescriptive guidance on how to virtualize your edge deployments (another subject where Tom feels very strongly), this one should get short notice.

If not, then this one is article what CSS engineers can point to when customer X asks “show me how to do this without an “allow all” policy.

Jim

by: Ian Banyard

Wed, 03 Sep 2008 09:06:48 +0000

Absolutely agree with Don - while i didnt specifically mention hype-v that was the intention - perhaps the new licensing for EBS already caters for this? One to look up later!

by: Don Adams

Tue, 02 Sep 2008 23:14:45 +0000

Whoops … pasted my comment above into the wrong blog…. It was meant for your EBS post.

In a branch environment (focus of the MS article) it seems to me that virtualizing all the roles is where everything is heading. I see one big-ass physical machine running a hypervisor with ISA/TMG as the gatekeeper virtual appliance and all the other roles running behind it. I can even see the desktops running on the same physical device. Add a small SAN device capable of replicating with home base and backing up the virtual machines and I think we’re done!

Don Adams
USEast Technologies

by: Don Adams

Tue, 02 Sep 2008 23:01:44 +0000

Hi Tom;

EBS could be a good solution to build into a hardware appliance based on Windows 2008 Server Core running Hyper V. The EBS servers would run as two or three separate virtual machines (TMG by itself) on top of Hyper V.

This would violate your “don’t mix zones” philosophy but plays into an “ISA/TMG on every Virtual Host” philosophy.

What do you think?

Don Adams
USEast Technologies

by: Ian Banyard

Tue, 02 Sep 2008 15:57:50 +0000

I’d prefer to see a W2008 based installation with necessary network interfaces to support an instance of ISA, and an instance of the DC role, just cant my head around the co-location of the 2 roles - I can understand the intention, to make life easy for small or remote deployed infrastructure, and if people are doing this then at least there’s something of a best (er maybe Better?!) practise to follow.

(Quick issue with the Captcha not displaying, when you refresh you loose the text in the form, how about positioning the captcha above the form so that your aware of a problem before typing an essay!!!)