Cat's sleeping with dogs? Fish riding bicycles? Cows with wings? ISA firewall on a DC? Tell me it's not true! For years we've been waving the flag that the ISA firewall should never, ever, never ever, never ever never never ever be installed on a domain controller. This is a key tenet on why the SBS 2003 platform could never be considered secure, since the DC was an Internet facing device and had a horked ISA firewall configuration required to support domain traffic to the firewall.
So, what's up with this new article on the ISA firewall community site? What article? ISA Server Branch Office Policies Best Practices: ISA Server co-location with a domain controller at http://technet.microsoft.com/en-us/library/cc891503.aspx
Why would Microsoft write such an article? Because the fact is that people have been installing the ISA firewall on branch office domain controllers. While Microsoft can't come out and say "hey, this is a great idea" any more than parents and teachers can say to kids "hey kids, its a great thing that you run with scissors in your hands", the fact is that kids will run with scissors in their hands, and admins will install the ISA firewall on a branch office domain controller. So, as responsible adults, we need to round the ends of the kid's scissors and "round the edges" of the firewall policies on the branch office domain controller that also hosts an ISA firewall.
Let me know what you think of this development? Do you think this guidance gives hapless admins the imprimatur to install ISA firewall's on DCs? Will this hurt the overall reputation of the ISA firewall as a enterprise grade network firewall? Or, does it matter, since the ISA brand is soon to go on life support at the TMG firewall bellys up to the bar to take the torch from the ISA firewall?
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)