Re: Forest/Domain in the "DMZ" to accomodate web, front-end servers
From: Keith I (kirby)
Date: 09/20/05
- Next message: MCSEGURU: "Re: accounts in two groups - Administrators and Power Users - who wins"
- Previous message: MCSEGURU: "Re: FTP Server HELP!!!"
- In reply to: Marlon Brown: "Forest/Domain in the "DMZ" to accomodate web, front-end servers"
- Next in thread: MCSEGURU: "Re: Forest/Domain in the "DMZ" to accomodate web, front-end servers"
- Reply: MCSEGURU: "Re: Forest/Domain in the "DMZ" to accomodate web, front-end servers"
- Reply: Marlon Brown: "Re: Forest/Domain in the "DMZ" to accomodate web, front-end servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 19 Sep 2005 19:04:38 -0500
Marlon,
What is the purpose of the network segmentation? Would the Front-End
Exchange and Share Point Services (SPS) now exposed directly to the
Internet? If so, you are negating the value of ISA 2004. ISA 2004 has the
hardened External interface, the other server roles do not by default. Do
you trust ISA, if not dump it and use another device for your network
segmentation control. However, I believe ISA 2004 provides a hardened
service for Exchange and SPS. That is the objective of using ISA.
Second, would that DMZ-Domain be trusted by the corporate domain for
authentication? If you are trusting, what should be non-trusted, then you
are again devising a less secure solution than existed prior. The domain is
not the not the Windows 200x security boundy, the forest is the boundry.
So, you'd have to create a new forest with a minimum of two domain
controllers for redundancy.
The other solution might be the DMZ-Domain trusting the corporate domain for
management. While this makes it easier to manage this domain, and is
recommended by some persons for systems of 25 or greater in DMZ, it seems
like this is not your case.
This IT guru is imposing solutions that are just bad ideas, based on ideas
5-10 years ago. Your solution seems right on track. I like Microsoft's
solution provided at
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/workgroup_ee.mspx
the best.
- Next message: MCSEGURU: "Re: accounts in two groups - Administrators and Power Users - who wins"
- Previous message: MCSEGURU: "Re: FTP Server HELP!!!"
- In reply to: Marlon Brown: "Forest/Domain in the "DMZ" to accomodate web, front-end servers"
- Next in thread: MCSEGURU: "Re: Forest/Domain in the "DMZ" to accomodate web, front-end servers"
- Reply: MCSEGURU: "Re: Forest/Domain in the "DMZ" to accomodate web, front-end servers"
- Reply: Marlon Brown: "Re: Forest/Domain in the "DMZ" to accomodate web, front-end servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
