Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
What to do?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
What to do? - 9.Jul.2007 11:05:38 AM
|
|
|
mnl
Posts: 2
Joined: 9.Jul.2007
Status: offline
|
Hi.
I have a ASA 5510 which protects our Exchange 2003 server and people can logon to the internal network via VPN. Now we want a web server and we are also upgrading to Exchange 2007 and making the network more secure. The plan is still to use VPN for employees, but to make a DMZ zone where the web server and exchange edge transport server lives. Inside our protected internal network lives a exchange CAS, so users with no VPN access can access mail via OWA. How/where should we use ISA 2006 to protect this system, so that users using OWA goes through the ISA? Should it be in the ASA DMZ zone or should it be a back-to-back DMZ thing?
Link to layout idea.
Regards Morten.
< Message edited by mnl -- 9.Jul.2007 11:18:34 AM >
|
|
|
|
RE: What to do? - 18.Jul.2007 4:10:51 PM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
The ASA adds no security to the ISA Firewall, so there's no reason for a back to back.
Best config is a parallel config -- the ASA and the ISA Firewall are both on the edge, with public addresses. Then the OWA users come in via the ISA Firewall and the other traffic goes through the ASA. You might consider using the ISA Firewall for outbound access control, since it does a much better job than the ASA.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: What to do? - 19.Jul.2007 9:45:35 AM
|
|
|
mnl
Posts: 2
Joined: 9.Jul.2007
Status: offline
|
Hi Tom.
Just to be sure. Our web server and Exchange Edge Transport server would still be placed in the ASA's DMZ zone?
Regards Morten.
|
|
|
|
|
RE: What to do? - 23.Jul.2007 8:57:38 PM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Morten,
Actually, a much more secure configuration would be to put them in an ISA Firewall DMZ -- that way you have preauthentication access control and deep packet and application layer inspection provided by the ISA Firewall, thing that the ASA can't do for OWA.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
