Hello, My current place of employment will soon be migrating from an eDirectory/Novell environment to an ADDS/Microsoft environment. The environment is diverse, and will have XP, Win 7 and OS-X clients accessing 2008 R2 file services, from both on-site and remote locations. It is also likely that workstations/laptops that are NOT domain members will access file services from remote locations (possibly via SMB or WEBDAV). Network topology is generally flat and open. No NAT, firewall or VPN options to be had. As this will be a totally new, from the ground up build/migration, we are considering running in an IPsec domain isolation mode, in which everything that touches the MS Windows servers will require IPsec for authentication and encryption. In a diverse and largely un-controlled end user environment, how realistic is operating in domain isolation? I want to make sure that we are not biting off more than we can chew, but also want to provide a usable, secure, environment. Thanks, Dasani

SDI is a great way to create role based logical segmentation in the network where you can make most of the firewall decisions identity aware. There are some challenges implementing SDI so my recommendation is to begin with services where you need higher level of control and security in combination with broader but less sensitive areas like protecting all clients from unauthorized remote access. Please consider the following white papers and guides when planing and designing your SDI Windows Firewall with Advanced Security Design and Deployment Guide http://www.microsoft.com/download/en/details.aspx?id=17077 Test Lab Guide - Deploy Windows Firewall with Advanced Security to Protect Network Communication to a Domain Controller http://www.microsoft.com/download/en/details.aspx?id=20453 /Hasain

Thanks for your response Hasain - I'd not seen the Lab Guide, which was helpful. How realistic is it to limit the range of TCP ports used by RPC when operating in an enterprise environment? I'm quite certain we would not limit it to 10 as the Lab Guide describes, but I'm just wondering in general, if you have 2000 + workstations in your environment, what have others limited RPC to? Thanks, Dasani