Partager via


ISA Server Domain Member or Workgroup member??

This question is most common when you have Microsoft ISA server to be deployed in your organization. Whether to keep ISA a domain member or in workgroup?

 

Well....there is no specific answer to this question as ISA can be a domain member as well as work fine in workgroup scenarios. I really would like to laugh at people who tells me that putting ISA server in workgroup environment is more secure. It's not important to know where to put, but it's important to know why to put.

 

In my opinion, the ISA server should be a part of domain because it provides more flexibility in implementing many features which worksgroup scenario does not provide.

 

If you have ISA server 2006 in workgroup you want to use smart card functionality, you may not be able to use it because the smart card implementation does not work with RADIUS and LDAP (AD)

 

Some people think that if domain connected computer is compromised then its more chances that complete network is exposed. I would say if your workgroup ISA server is compromised then even it is in workgroup it's still connected to the internal network and anyone can modify the access rules accordingly to gain access. Though, its not a easy task to gain access to ISA server since it hardens the OS as well when installed on Windows 2003.

 

Also, we recommend that you run SCW on the ISA server and choose the specific template for ISA server. It ensures that no un neccesary services are running

 

one of friend said that if some hacks my ISA machine then using the Certificate he/she can read the encrypted content within my network. And i was WOW !!!, i replied saying that on workgroup scenario its a requirement to have certificates installed on ISA server, now if you have certificate on it already then anyone can use it for anything including enrypted file reading ;)

 

If you dont have the ISA server in domain then you cannot use user certification authentication. It may be required when you dont want users to enter their username and password instead you want them to enter passcode and certificate. In workgroup you cannot use client authetication certificates

 

For more details read article at http://www.redline-software.com/eng/support/articles/isaserver/security/debunking-myth-that-isa-firewall-should-not-domain-member.php by Thomas Shinder

Comments

  • Anonymous
    August 13, 2008
    uyv Een plaatje zegt alles, toch ? vwt  Het volledige rapport is hier te vinden. Lees natuurlijk q  de blogposting. j t Thanks for interesting post! efr [url=http://skuper.ru]ламинат и паркет[/url] 8o

  • Anonymous
    October 29, 2008
    i have a problem after installing isa 2006 on win 2003 server the compurts on network cannot join domin 'error domain controller not contacted "even i can ping from this machine to my server plzzzzzzzz reply

  • Anonymous
    April 06, 2011
    This is a great post! I have 2 single NIC ISA 2006 EE  server; each with its own CSS and I recently joined them to my company domain and ran the ChangeStorageServer.vbs script from my second ISA server. The script executed successfully, but my second ISA server doesn't seem to be synced with ISA-A. Also, when adding another ISA-C, which is a member of the domain my install fails while creating ISA Server storage... Do you have any idea why? Thanks