I have decided to take the plunge and transition over to Exchange E-mail infrastructure from current Sendmail. I already have an existing PostFix Mail Gateway and multi-tiered Firewall infrastructure to which I want to add ISA Server 2006 as an Exchange server Front end and an Exchange Back End Server (2003 Enterprise to start, upgrade to 2007) on the trusted LAN. My thought process was to use the ISA Server 2006 in a Exchange Server Front-End role. Since it will be behind two firewalls, I was going to make the ISA Server part of my Windows 2003 R2 native AD domain/forest. ISA Server 2006 will have two NIC cards; one will interface with upstream firewall subnet, the other NIC will be on the same subnet as the corporate LAN.
The Exchange Server 2003 Enterprise will reside on the corporate LAN and also be part of the same Windows 2003 R2 AD domain/forest as ISA Server 2006 machine. Access to the Exchange Server would be either locally on the LAN, or remotely using OWA, Outlook Anywhere, etc via ISA Server 2006. Outbound e-mail would go from any client (internal or external), through the Exchange Server and out the Postfix Mail Gateway. No Front-End server besides the ISA Server 2006 is needed, since this will be the only Exchange server in the domain/forest for the time being.
My security concern is the ISA Server 2006 machine as part of the same AD Domain/Forest as the corporate LAN where the Excahnge Server, Domain Controllers, clients, member servers, etc. I figure since ther are two firewalls between the outside and the ISA Server, that it is well protected. Are there any other security pitfalls or issues I should be concerned with in deploying this configurations?