this post was inspired by two sources. The first one is a question asked at the message boards from www.isaserver.org by a member named jamal007.
The second one is by a post from a friend of mine: Uilson Souza (in portuguese).
A brief from his post. He discuss a case where a client has a scenario of ISA Server installed on the same machine with a DC and a Exchange Server. I guess the client´s budgets was short (or at least let´s assume that).
Consider a scenario where you want to co-locate ISA/TMG with a Domain Controller. In my opinion, it is not a very clever choice, since you will expose one of the most important server on your organization to the internet. However, most folks think because they can, they should do it.
For many years, Microsoft did not support such scenario (ISA/TMG+DC). The logical always prevailed. It was (is) too risk to put these roles on the same server, because it will have to open so many holes to make it work.
Every ISA administrator was aware it was not a supported configuration and highly insecure in many ways. So, it was always best practice (recommended) to not install, not only DC, but any other role on the same machine as ISA Server, THE network firewall. The very reason behind that is quite obvious, you don’t see other roles (or DC) installed on “hardware” firewalls. The attack surface of servers facing the internet (or protecting your whole business network) must not be increased!
Nevertheless, Forefront Edge team published a couple years ago a paper describing the policies to be followed for ISA (TMG was not released at that time) co-location with a DC on a Branch Office. According to them, they did because many System Administrators were co-locating these two roles together in a insecure manner.
After the paper was published I was confused if the supported scenario was just for Brach Offices or any other scenario involving ISA and Domain Controllers (like ISA Server as backend firewall).
Then came Forefront TMG 2010 and made my head spin again. The Technet’s Unsupported configuration article claims:
Forefront TMG installed on a domain controller is not supported
Issue: Installing Forefront TMG or Forefront TMG EMS on a computer configured as an Active Directory domain controller is not supported.
Cause: This installation is blocked by the Forefront TMG installer.
Installing Forefront TMG Management console on a domain controller is supported.
Solution: Virtualization offers an alternative if both Forefront TMG and a domain controller must be on the same computer. For more information, see Forefront TMG support in a virtual environment and Security Considerations with Forefront Edge Virtual Deployments (http://go.microsoft.com/fwlink/?LinkId=178740)
What?? They published a paper about ISA co-location with a DC! Is this does not worth for TMG 2010??
Also, Forefront Edge team released Service Pack 1. One of the improvements was:
Support for installing Forefront TMG SP1 on a read-only domain controller
Forefront TMG can now be installed on a read-only domain controller in order to realize WAN optimization benefits related to local authentication in branch office scenarios.
At this point I didn’t know what was Microsoft’s official statement about installing ISA/TMG on the same machine with a Domain Controller.
So, I decided to check with Yuri Diogenes. He is a friend of mine which works at Microsoft and is part of Forefront Edge Team.
I asked him a couple of a questions:
1- Are ISA/TMG supported by Microsoft when installed with a Domain Controller?
The answer was: Forefront TMG 2010 is supported only when installed with a Read-Only Domain Controller (RODC). BUT, you must have at least Service Pack 1 and Update 1 installed. The most common scenarios for that is for deployment of TMG with RODC in a Branch Office scenario. The other scenarios follow the statement quoted from Technet’s Unsupported configuration above.
2- And what about ISA?
Well, ISA is supported using the policies described at the Technet article: ISA Server Branch Office Policies Best Practices: ISA Server co-location with a domain controller in all scenarios, not only Branch Offices.
A conclusion we can take from this post is ISA/TMG are supported to be installed on the same machine as a Domain Controller, if some policies are correctly followed.
The lesson I hope you, ISA/TMG admins, must take is DO NOT co-locate ISA/TMG with a Domain Controller! Although, you can, it does not mean you should. I will always continue recommending you to not do such a sin.