Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Topology Question
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Topology Question - 12.Oct.2007 2:58:08 PM
|
|
|
zefferno
Posts: 1
Joined: 12.Oct.2007
Status: offline
|
Hey all!
Good to see specific forum for ISA firewall 
We are currently running Windows 2003 domain, Exchange 2003 SP2 cluster (which is not an apart of RPC over HTTPS topology right now) and we want to get started with publishing OWA and OMA using ISA 2006 on the Internet. As the Internet gateway we are using CP firewall, and we have a direct line to the ISP which provides us the Internet, In addtion, our outgoing mail content filter is located in the ISP.
I have drawn a sketech which decribes what we are plan to do:
Now to the questions:
1. What do you generally think about the sketch? Any additions you might add to make it more secure?
2. The ISA is placed in a DMZ and the CP will forward SSL requests (and also filter them, just in case...) to the ISA which forwards back the data to the FE server. The ISA in this case is only being used for the purpose of Exchange web services. Does this configuration limits us when we will decide to use other ISA features?
3. In our internal network, what do you think about putting the FE in a VLAN seperated from the BE cluster and the internal network? If yes, in the case of a VLAN who do you think should act as the gateway? The CP or mybe the switch which can run an ACL? What do you think of implementing an IPSEC between the FE and the BE? Do you prefer it over VLAN? (we don't want to significantly increase the firewall CPU usage)
4. If we want to publish the OWA services and make it available to use only by certian domain users, is there an option to do that on the ISA, or we need to do this with the AD proprties?
5. Since we want the whole procedure of publishing to be seemless we don't want to slow down the current BE users, so in case we want to use IPSEC between the BE cluster and the FE, do you recommend a seperated NIC for this (on the BE)? What does IPSEC generally requires from the BE server?
6. About securing the ISA. I will use the guide provided by Microsoft. Including some tweeks I will add in order to assure strict security. I haven't found anything about AV on the ISA itself (to prevent mailicius code from running on the machine). It has some risk because we need to open update requests. Do you run an AV on your ISA server?
I hope you help me get through this, I know there are quite load of questions but any help will be appreciated!
Best regards,
Zeffy.
< Message edited by zefferno -- 12.Oct.2007 3:22:57 PM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
