A big thank-you to Jim for making this paper finally available! Here is a short excerpt…
A Server and Domain Isolation solution based on Microsoft® Windows® IPsec and Microsoft® Active Directory® enables IT administrators to dynamically segment a Windows environment into more secure and isolated logical networks without costly changes to the network infrastructure or applications. This creates an additional layer of policy-driven protection, allowing IT administrators to greatly reduce the risk of network attacks, helping to prevent unauthorized access to trusted networked resources, and reducing operational costs.
By implementing Server and Domain Isolation, IT professionals have a low-cost way to better safeguard sensitive data. This security makes it easier to achieve compliance with regulatory requirements such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, the Gramm-Leach-Bliley Act (GLBA), and the Federal Information Security Management Act (FISMA).
However, when planning, developing, or evolving a Server and Domain Isolation solution, administrators frequently have to consider machines that do not support Internet Protocol security (IPsec) standards. These might include mainframes, non-Windows devices, older versions of Windows, or other hosts where implementing IPsec support is not standard practice. It is important to protect these systems from unauthorized access and network-based attacks while allowing them to communicate with IPsec-enabled network assets. Often, administrators also want to enable IPsec-protected systems to communicate with trusted non-IPsec assets. A number of options to mitigate risk in these scenarios while enabling the desired interoperability are possible.
This paper discusses how to use Microsoft Internet Security and Acceleration (ISA) Server running on Microsoft Windows Server 2003 as an IPsec gateway. With this solution, IT administrators can extend a Server and Domain Isolation deployment for greater interoperability while leveraging existing system software and expertise.
For more information, please check out this paper over at http://technet.microsoft.com/en-us/library/dd835480.aspx.