quote:

I'm maxed out with 4 NICs

quote:

ORIGINAL: bpatlen

Hey, thanks, Tom!

1. So the DMZ NICs will have their IP, subnet, and gateway info but no DNS. What about Client for Microsoft Networks, File and Printer Sharing, and the binding order? Are these also setup like the internal NIC?

2. If I have an SMTP relay and a WAP hanging in the Anonymous DMZ, then how are DNS calls handled? I'm assuming that the WAP has DHCP integrated and guessing that DNS on that appliance points to my ISPs DNS. But if I have a DNS resolver here, then can the WAP use that for DNS? Otherwise, it seems that there'll be 2 sources of DNS calls: 1 from internal-to-external via the DNS resolver and 1 from wireless users via the WAP itself (none of this assumes that I'll have users on the wireless-anonymous DMZ accessing internal resources.

3. Regarding certificates, I have a corporate CA and can set this up but wouldn't it be easier to use Server Publishing Rules instead of Web Publishing Rules and skip the certificate assignments. If the connection is passed directly to the FE Exch Server and decrypted there, then it seems simpler and better to do it this way. Is this not the case and why?

Thanks for your help. Brian.

quote:

ORIGINAL: donb

Hi all,

I am totally confused!  In article 2 of Toms series about this subject, he is discussing and showing the BE Exchange Server sitting on a DC and then, about half way down, he changes to a separate DC from the Exchange Server.  I have been fighting with a newly setup network taking all Linux out of the picture and going with all MS product.  I am trying to get a simple setup working properly so my life will not be the 17 hour days that have been going on for the past month +.  There are so many articles and even mixed interpretations for the same processes.

I realize that Mr. Shinder is a guru and a man with awesome experiences to share, but what I am getting out of all of this is that we setup our networks and add 1 thing here and another there. Away with frustration!

My question:
I am preparing to reinstall everything and start from scratch tonight.  I have 3 questions that I can't seem to find a common ground that anyone is on.
1) I cannot put a FE Exchange Server out there yet.  Lack of OS at this moment is the problem.  So, I currently have my BE Exchange behind the ISA2004 Firewall and even a server in front of my ISA 2004 (called Metavize Edgeguard http://www.metavize.com) this server is blocking 89% of spam coming into my servers.  My company is actually processing 2 spam per Second so this is a very HUGE addition to our firewalling. OWA is what my goal is, but not necessary at this point - until I get my FE setup.  Will I have to reconfigure my ISA totally when I am ready to put the FE in place?

2) Is it not a good practice to put my DNS, DHCP, and DC all on the same box?  when supporting only 19 workstations but a HUGE amount of email coming in, I haven't seen it necessary to put each service on different servers.

3) I think I have read an article from Tom about loading up the ISA Server Software.  If I remember we are to load the OS, no service packs, load ISA 2004 Server, install service pack 1 on ISA, then load SP1 on the OS - for security enhancements.  Then attach to the domain?  (which I have done on the current load), or is it better to load the OS, attach to Domain, load ISA, ISA SP1, OS SP1? 

I have been experiencing some problems with ISA SP2 so I am not sure I am ready to reload that on.  I have a program that has to have SSL communications but cannot connect to their servers and suspect the issue with Direct Sites.  Is there anyone with some thoughts on this?

Much thanks,
Don Brooksby

quote:

ORIGINAL: tshinder

Hi Don,

1) I cannot put a FE Exchange Server out there yet.  Lack of OS at this moment is the problem.  So, I currently have my BE Exchange behind the ISA2004 Firewall and even a server in front of my ISA 2004 (called Metavize Edgeguard http://www.metavize.com) this server is blocking 89% of spam coming into my servers.  My company is actually processing 2 spam per Second so this is a very HUGE addition to our firewalling. OWA is what my goal is, but not necessary at this point - until I get my FE setup.  Will I have to reconfigure my ISA totally when I am ready to put the FE in place?
TOM: Two spams per second isn't very busy. The ISA firewall won't be impacted by that. If you're uncomfortable with the perimeterization plan, you can always put the FE and BE in the same security zone. Sure, its not a best practice or secure, but it'll end up being more secure than you trying to do something that's over your head right now. 

2) Is it not a good practice to put my DNS, DHCP, and DC all on the same box?  when supporting only 19 workstations but a HUGE amount of email coming in, I haven't seen it necessary to put each service on different servers.
TOM: No problem with that. With such a small environment, that's a fine solution.

3) I think I have read an article from Tom about loading up the ISA Server Software.  If I remember we are to load the OS, no service packs, load ISA 2004 Server, install service pack 1 on ISA, then load SP1 on the OS - for security enhancements.  Then attach to the domain?  (which I have done on the current load), or is it better to load the OS, attach to Domain, load ISA, ISA SP1, OS SP1? 
TOM: The point where you join the domain isn't an issue. I tend to join the machine to the domain during installation, but either way is fine -- the key to success is getting the box joined to the domain so that you can fully leverage the entire array of security technologies that ISA firewall has to offer.
HTH,
Tom

quote:

ORIGINAL: jelzinga

Hi Tom,

Great article, but i was wondering: why did you choose to set up a nat relation between the Internal Network and Anonymous DMZ and not a routed relation (just like the relation between the Authenticated DMZ and the Internal Network)?

I'm asking because i want to use a WSUS server on the Internal Network to update servers that are on the Anonymous DMZ and defining an Access Rule with HTTP/HTTPS/Kerberos-Sec (UDP) doesn't seem to work (That is logical because the NAT is one way? Internal to AnonDMZ?).

So as far as i can see i need to:
1) make a NAT relation from AnonDMZ to Internal. I'm not sure if that is wise.

OR

2) Make a routed relation between Internal and AnonDMZ and throw the NAT relation between those 2 networks out

Thanks!

Johan Elzinga