I tried to post a response to this article http://blogs.technet.com/chrisavis/archive/2007/04/27/isa-2006-and-computer-sets.aspx on the Microsoft TechNet blog site but it wouldn’t allow me to post. So, I’ll post my response to Chris Avis’ ISA Firewall article here.
You made a very serious error in this article. The quote:
“Since ISA is designed to be implemented on a workgroup based machine (isolated from the domain for enhanced security), there is no built in method for applying an access policy to built in Windows Groups or OU’s.”
is quite wrong, since a non-domain member is LESS Secure. In fact, the ISA Firewall was really designed to be a domain member so that you can take full advantage of all the security features that the ISA Firewall has to offer.
Please correct this and read the following article so that you don’t spread this superstition much further:
The domain member is not secure myth is used only by ABMers and “hardware” firewall sales guys. ISA pros know that domain members are more secure than non-domain member ISA Firewall and any “hardware” firewall.
Hopefully Chris will be able to correct this error soon, and more importantly, not spread the disinformation regarding the ISA Firewall’s domain membership as being a security risk — instead, all of us should be promoting the ISA Firewall as a domain member when the overall secure posture dictates that this is the more secure configuration.