MikeS@MLS
2010-01-19 16:12:01 UTC
Hope some smart folks here can help me figure out how to answer a "boss"
question about ISA/TMG array domain membership.
We have a project to build an internally-segmented enviroment using ISA or
TMG. The idea is that we would build a COMPLETELY NEW environment, with it's
own AD forest, and that the new ISA/TMG array would be intstalled IN that
forest (as would servers behind ISA/TMG in the various protected segments).
We would then use one-way forest trusts to grant access to servers/published
apps within that environment.
Here's the problem - another issue in our current production environment has
push up the deployment of the new segmented environment, and I now have to
deploy a basic version of the new infrastructure that can be built out at a
later date into the full-blown environment.
Here's the question: I'm getting pushback from my manager about why we have
to deploy the new AD forest NOW.
He wants to know why we can't just build the ISA array using the existing AD
forest, and then change it to the new forest later. Or, deploy it now as a
standalone array, and add it to the new forest later.
I know that both of those are BAD ideas, when it comes to ISA/TMG, and I can
provide a litany of techno-babble that would not help my cause one bit. Can
anyone give me some good, plain-english "manager-level" reasons why we should
push forward with the new AD forest now? Or, why either alternative is a BAD
idea (in the same, plain-english managerspeak way)?
Thanks,
Mike
question about ISA/TMG array domain membership.
We have a project to build an internally-segmented enviroment using ISA or
TMG. The idea is that we would build a COMPLETELY NEW environment, with it's
own AD forest, and that the new ISA/TMG array would be intstalled IN that
forest (as would servers behind ISA/TMG in the various protected segments).
We would then use one-way forest trusts to grant access to servers/published
apps within that environment.
Here's the problem - another issue in our current production environment has
push up the deployment of the new segmented environment, and I now have to
deploy a basic version of the new infrastructure that can be built out at a
later date into the full-blown environment.
Here's the question: I'm getting pushback from my manager about why we have
to deploy the new AD forest NOW.
He wants to know why we can't just build the ISA array using the existing AD
forest, and then change it to the new forest later. Or, deploy it now as a
standalone array, and add it to the new forest later.
I know that both of those are BAD ideas, when it comes to ISA/TMG, and I can
provide a litany of techno-babble that would not help my cause one bit. Can
anyone give me some good, plain-english "manager-level" reasons why we should
push forward with the new AD forest now? Or, why either alternative is a BAD
idea (in the same, plain-english managerspeak way)?
Thanks,
Mike