Config ISA Server 2006 for Security

I'm thinking of installing an ISA Server 2006 EE, for redundancy in case of
a fall from a server. I have several questions:

1 .- I can configure the ISA within the AD to authenticate users without a
security risk?.
The infrastructure would be: Internet (ISP optical fibre) - LAN: external
IP: 215.25.xx - Internal IP: 192.16.xx

I dont have DMZ.

Internet - ISA EE - LAN
|
AD (domain Internal)

2 .- To have redundancy, they are 2 + 1 ISA Server servers not CSS?

What worries me most is the first part, I recommend it?. Thank you

Hi,

> 1 .- I can configure the ISA within the AD to authenticate users without a
> security risk?.

yes, via AD integrated ISA or RADIUS or LDAP (for publishing rules only)

> The infrastructure would be: Internet (ISP optical fibre) - LAN:
> external IP: 215.25.xx - Internal IP: 192.16.xx

> 2 .- To have redundancy, they are 2 + 1 ISA Server servers not CSS?

2 ISA + 2 CSS for redundancy would be the best!

--
Gruss Jens
www.it-training-grote.de
www.forefront-tmg.de
https://mvp.support.microsoft.com/profile/Marc.Grote
http://blog.it-training-grote.de

Hello Salvador,

For ISA server i suggest you use also following NG/Forums:
microsoft.public.isaserver

http://www.microsoft.com/communities...blic.isaserver

or

http://social.technet.microsoft.com/...ntedgesecurity

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I'm thinking of installing an ISA Server 2006 EE, for redundancy in
> case of a fall from a server. I have several questions:
>
> 1 .- I can configure the ISA within the AD to authenticate users
> without a
> security risk?.
> The infrastructure would be: Internet (ISP optical fibre) - LAN:
> external
> IP: 215.25.xx - Internal IP: 192.16.xx
> I dont have DMZ.
>
> Internet - ISA EE - LAN
> |
> AD (domain Internal)
> 2 .- To have redundancy, they are 2 + 1 ISA Server servers not CSS?
>
> What worries me most is the first part, I recommend it?. Thank you
>

there may be security problems with that configuration?.
I have read do not recommend that ISA as web / proxy integrated with the AD,
right?.

"Jens Baier" <> wrote in message
news:...
> Hi,
>
>> 1 .- I can configure the ISA within the AD to authenticate users without
>> a security risk?.
>
> yes, via AD integrated ISA or RADIUS or LDAP (for publishing rules only)
>
>> The infrastructure would be: Internet (ISP optical fibre) - LAN:
>> external IP: 215.25.xx - Internal IP: 192.16.xx
>
>> 2 .- To have redundancy, they are 2 + 1 ISA Server servers not CSS?
>
> 2 ISA + 2 CSS for redundancy would be the best!
>
> --
> Gruss Jens
> www.it-training-grote.de
> www.forefront-tmg.de
> https://mvp.support.microsoft.com/profile/Marc.Grote
> http://blog.it-training-grote.de
>

"Salvador" <> wrote in message
news:...
> there may be security problems with that configuration?.
> I have read do not recommend that ISA as web / proxy integrated with the
> AD, right?.
>
> "Jens Baier" <> wrote in message
> news:...
>> Hi,
>>
>>> 1 .- I can configure the ISA within the AD to authenticate users without
>>> a security risk?.
>>
>> yes, via AD integrated ISA or RADIUS or LDAP (for publishing rules only)
>>
>>> The infrastructure would be: Internet (ISP optical fibre) - LAN:
>>> external IP: 215.25.xx - Internal IP: 192.16.xx
>>
>>> 2 .- To have redundancy, they are 2 + 1 ISA Server servers not CSS?
>>
>> 2 ISA + 2 CSS for redundancy would be the best!
>>
>> --
>> Gruss Jens
>> www.it-training-grote.de
>> www.forefront-tmg.de
>> https://mvp.support.microsoft.com/profile/Marc.Grote
>> http://blog.it-training-grote.de
>>
>

"Salvador" <> wrote in message
news:...
> there may be security problems with that configuration?.
> I have read do not recommend that ISA as web / proxy integrated with the
> AD, right?.

Not correct.

Debunking the Myth that the ISA Firewall Should Not be a Domain Member
http://www.isaserver.org/tutorials/D...in-Member.html


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Then there can be no security problems, "I explained, this will have an ISA
server IP on the internet, if you set up an ad, if I jump the firewall,
enter the network?

"Phillip Windell" <> wrote in message
news:...
>
> "Salvador" <> wrote in message
> news:...
>> there may be security problems with that configuration?.
>> I have read do not recommend that ISA as web / proxy integrated with the
>> AD, right?.
>
> Not correct.
>
> Debunking the Myth that the ISA Firewall Should Not be a Domain Member
> http://www.isaserver.org/tutorials/D...in-Member.html
>
>
> --
> Phillip Windell
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>

"Salvador" <> wrote in message
news:...
> Then there can be no security problems, "I explained, this will have an
> ISA server IP on the internet, if you set up an ad, if I jump the
> firewall, enter the network?

Well,...hmm,...how do I approach this?

1. If you ever "jumped" the ISA you would be the first in the history of
mankind. ISA in its entire product history has never been busted through.
Admins have left it open in ways that they shouldn't,...but that is their
fault,...not the ISA's.

2. If you got past the ISA you would be on the network no matter if there
was an AD structure or not (a Domain and a Network are two different
things). It could be a 100% Linux network with no "Domain" at all and
you'd still be "on the network". Also ISA as a domain member does not
mean you have access to AD using it any more than being on a workstation
gives you access to AD because the workstation is a domain member,...ISA is
not a Domain Controller (except for SBS deployment,...and facilities with
high security requirements don't use SBS).

3. ISA being a Domain member increases its security,..not decreases it,...
because of all the abilities it gains with AD. How are you going to "jump"
ISA if you are forced to authenticate with it when you don't have such
credentials to authenticate with it? The whole purpose for Active Directory
Domains to even exist is to create a solid robust "security environment".
If creating Domain means creating risks instead of reducing them,...then
lets just stop creating domains.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------