In a recent blog post I mentioned that I had softened a bit on my stance regarding the configuration where the ISA Firewall was placed in a forest different from the user forest. In the past I really didn't think about the core advantage of putting the ISA Firewall in a different forest. The key issue is that putting the ISA Firewall in a different forest from the user forest is least privilege. Since least privilege should guide all your network and computer security decisions, and in order to be consistent, I had to change my opinion regarding the value of putting the ISA Firewall in a trusting forest of its own.
However, you do need to be aware of another security issue when the ISA firewall (and the Forefront TMG firewall) is in a separate forest. That issue is that you cannot take advantage of user (client) certificate authentication at the ISA Firewall. Given how important user certificate authentication is in creating secure Web Publishing Rules, you need to take this into consider.
Security decisions have to be made within the entire security context and how decisions result in the overall security posture of the solution. The miniscule amount of security gained by putting the ISA Firewall in a trusting forest is far overshadowed by the significant security gains you get with user certificate authentication.
Given the relative advantages and disadvantages from a security viewpoint, it's clear that making the ISA Firewall a member of the user domain is a far more secure solution.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP — Microsoft Firewalls (ISA)