ISA Server Domain Member or Workgroup member??

  • Article

This question is most common when you have Microsoft ISA server to be deployed in your organization. Whether to keep ISA a domain member or in workgroup?

 

Well....there is no specific answer to this question as ISA can be a domain member as well as work fine in workgroup scenarios. I really would like to laugh at people who tells me that putting ISA server in workgroup environment is more secure. It's not important to know where to put, but it's important to know why to put.

 

In my opinion, the ISA server should be a part of domain because it provides more flexibility in implementing many features which worksgroup scenario does not provide.

 

If you have ISA server 2006 in workgroup you want to use smart card functionality, you may not be able to use it because the smart card implementation does not work with RADIUS and LDAP (AD)

 

Some people think that if domain connected computer is compromised then its more chances that complete network is exposed. I would say if your workgroup ISA server is compromised then even it is in workgroup it's still connected to the internal network and anyone can modify the access rules accordingly to gain access. Though, its not a easy task to gain access to ISA server since it hardens the OS as well when installed on Windows 2003.

 

Also, we recommend that you run SCW on the ISA server and choose the specific template for ISA server. It ensures that no un neccesary services are running

 

one of friend said that if some hacks my ISA machine then using the Certificate he/she can read the encrypted content within my network. And i was WOW !!!, i replied saying that on workgroup scenario its a requirement to have certificates installed on ISA server, now if you have certificate on it already then anyone can use it for anything including enrypted file reading ;)

 

If you dont have the ISA server in domain then you cannot use user certification authentication. It may be required when you dont want users to enter their username and password instead you want them to enter passcode and certificate. In workgroup you cannot use client authetication certificates

 

For more details read article at http://www.redline-software.com/eng/support/articles/isaserver/security/debunking-myth-that-isa-firewall-should-not-domain-member.php by Thomas Shinder