Active Directory Implementation


If you plan to centralize configuration of your ISA servers or you want to install an array of ISA servers, you need an Active Directory domain.

ISA servers that have all network interfaces connected to the internal network can safely be configured as members of an internal Active Directory domain. Since these servers are not at risk for Internet intrusion, you can focus security concerns on internal network threats that affect all servers on the internal network.

However, if you plan to keep an array of ISA servers on the edge of the network, you should strongly consider creating a domain dedicated to the ISA array itself. For security reasons, you do not want to expose your internal network's Active Directory and user accounts database to the Internet. To prevent such exposure, you can create a dedicated ISA Server domain to interface with the Internet.

This dedicated ISA Server domain should be in a different forest from your internal Active Directory domain. The ISA Server domain can then be configured to trust the internal Active Directory domain but without a reciprocal trust. This is because you do not want your internal network to trust the accounts on the ISA Server domain. This setup helps minimize potential damage should an administrative account in the external domain become compromised.

This type of domain configuration is the ideal, but it might not fit the needs of organizations that have more than one domain as part of their internal networks. For example, if you have a root domain of isacorp.net and subdomains of west.isacorp.net and east.isacorp.net, and you then configure an external trust (also known as an explicit trust) from the ISA Server domain to the isacorp.net domain, you will run into problems with the lack of transitivity. The security accounts in the isacorp.net domain will be respected by the ISA Server domain, but the subdomains' accounts will not be trusted, because external trusts lack transitivity.

To solve this problem, you need to make the ISA domain a part of the same forest as the rest of your domains so that you can take advantage of trust transitivity. The ISA domain administrators do not have any automatic administrative privileges in the internal network domains. Just be sure not to delegate to ISA domain accounts any authority regarding resources in the internal network's domain.




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net