Application Servers in DMZ vs putting them internal and using ISA in a DMZ

We have a vendor that wants us to put an application server in our DMZ that is a web server for information kept internal in a database.  They want the application server in the DMZ to be part of our AD domain, and they want a bunch of ports along with SQL ports open between it and the internal servers.

In my mind, given these requirements, wouldn't it be better to just put the application server on the inside, and use an ISA server in the DMZ to interface with the public side?

I just feel that if a server needs to be part of an AD domain and needs many ports open, there isn't much benefit at that point to have it in a DMZ.  

Just looking for opinions.
Who is Participating?
Bruno PACIIT ConsultantCommented:

Publishing the application server through a reverse proxy like TMG is a better idea, but only if the reverse proxy (TMG ISA or anything else) makes some security checks...

If your reverse proxy is configured to transmit any incomig request to the internal server then there is no security provided !

Your reverse proxy should authenticate users, as an example... Or filter suspicious html requests, or both.

The important thing is that any incoming request never reach the internal server without being authenticated and checked by your reverse proxy.

Doing like this, if someone outside tries to attack the application the reverse proxy may fall but not the application server.

Have a good day.
Keith AlabasterEnterprise ArchitectCommented:
Yes - absolutely, although ISA is now out of mainstream support and TMG has replaced it.
jpletcher1Author Commented:
Thanks for the info guys.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.