New Articles on Tales from the Edge


Security Considerations with Forefront Edge Virtual Deployments 


As it's title suggests, this article deals with the security issues related to virtualized edge deployments.  Hopefully, this will provide an alternative solution for those who are also interested in the next subject:


ISA Server Branch Office Policies Best Practices: ISA Server co-location with a domain controller 


This article is targeted at those ISA deployments where the combination of ISA and a domain controller are intended to operate on the same OS instance.  While this combination is far from a best practice, the undeniable fact is that many customers choose to do this and so we've provided a reference for those same customers and the support engineers they inevitably call.


Jim Harrison, Program Manager, Forefront Edge SE

Comments (2)

  1. Anonymous says:

    Nice to virtualize ISA server for redunce.

    In the other article you Referende to the article http://support.microsoft.com/kb/329807/

    Does this apply to the later ISA/TMG products?

  2. To make that article more relevant to ISA 2004/2006 and TMG, the statement would be "Does Not Support Domain Members that Communicate across a NAT Network Relationship".

    For ISA 2000, this means domain communication between clients in the Internal and domain clients in any other network is not supported because the only network relationship between the Internal network and any other network is NAT

    For ISA 2004/2006/TMG, this means domain communication between clients in one network and domain clients in another network is not supported when the explicit or implicit network relationship between those clients is NAT

    Let’s further define this context of the terms explicit and implicit in this scenario:

    – explicit: a network rule applies to the two hosts by virtue of their unique inclusion in the network objects which define the "source" and "destination" for the network rule

    – implicit: a network rule applies to the two hosts by virtue of their membership within the network objects which define the "source" and "destination" for the network rule

Skip to main content