I have a ASA 5510 which protects our Exchange 2003 server and people can logon to the internal network via VPN. Now we want a web server and we are also upgrading to Exchange 2007 and making the network more secure. The plan is still to use VPN for employees, but to make a DMZ zone where the web server and exchange edge transport server lives. Inside our protected internal network lives a exchange CAS, so users with no VPN access can access mail via OWA. How/where should we use ISA 2006 to protect this system, so that users using OWA goes through the ISA? Should it be in the ASA DMZ zone or should it be a back-to-back DMZ thing?
The ASA adds no security to the ISA Firewall, so there's no reason for a back to back.
Best config is a parallel config -- the ASA and the ISA Firewall are both on the edge, with public addresses. Then the OWA users come in via the ISA Firewall and the other traffic goes through the ASA. You might consider using the ISA Firewall for outbound access control, since it does a much better job than the ASA.
Actually, a much more secure configuration would be to put them in an ISA Firewall DMZ -- that way you have preauthentication access control and deep packet and application layer inspection provided by the ISA Firewall, thing that the ASA can't do for OWA.