Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Will this design work?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Will this design work? - 28.Oct.2004 6:26:00 AM
|
|
|
Ara.A
Posts: 259
Joined: 21.Oct.2004
Status: offline
|
Hello
I have this scenario here which you can follow the link to see the graphic file made by Visio so will be easier to follow
http://www.avvali.com/isa.png
ò There is a linksys in front and has a valid ip address taken from isp. We want it for several reasons. 1st it does a fast packet filtering and basically we want to make it this way that anything expect SMTP and https will not be forwarded to isa. 2nd will be it is more secure that having just one isa machine and still cheaper than having 2 machines providing a good design. 3rd it is a mix of hardware and firewall design. 4th it has 2 wan interfaces providing easy to setup load balancing and fault tolerance. It also gives us the option to connect a machine to it with out having to be worried about isa policies, just in case if you want to see it go here http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=589
ò The goal is to allow incoming mail and webmail access. So what I have done is forwarding the SMTP and https packets from linksys external nic(live ip) to isa external (192.168.0.2)
ò Then forwarde incoming smtp and http from isa external(192.168.0.2) to dmz nic (192.168.2.0) so it will reach the exchange machine
ò There will be also allowing rules from internal clients to access mail server not directly out.
ò What protocols should be involved in process to keep exchange as a member server to internal domain controller synchronized and vice versa?
ò The web site is hosted somewhere else and only mx records are being forwarded to this location.
May I kindly ask if someone can help me in right direction to see what rules and policies we should create so mail process will be working properly?
Do you think this scenario will work? Do I have to change any ip addresses here? Am I missing any server here?
I appreciate your help
!["[Wink]"](/image/smiles/wink.gif "\"\"")
[ October 29, 2004, 03:36 AM: Message edited by: Ara ]
|
|
|
|
RE: Will this design work? - 28.Oct.2004 5:46:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Ara,
This is a good design. You separate the Internet facing servers from the Internal network, which is always good.
You'll need to allow intradomain communications from the DMZ to the Internal network. There's an article on this site on how to do this.
If you have Outlook MAPI clients on the Internal network, do you want them to access the Exchange Server on the DMZ? Ideally, you would have a front-end Exchange Server on the DMZ and the back-end on the Internal network.
HTH,
Tom
|
|
|
|
|
RE: Will this design work? - 29.Oct.2004 1:52:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Ara,
I don't see any problem with the addressing. Each interface on the ISA firewall is on a different network ID, so you're good there.
For Outlook MAPI access, I would use an Exchange RPC Server Publishing Rule so that you can force the Outlook clients to authenticate.
However, for a single server network, you don't look much in terms of security by putting the Exchange Server on the Internal network. You only really need the DMZ for an SMTP relay -- and the ISA firewall can be your incoming SMTP relay, which removes the requirement for a dedicated relay.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Confused]](/image/smiles/confused.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
![[Cool]](/image/smiles/cool.gif)
