Hi folks, can I please get an opinion on two configuration questions...
Looking at various articles by various people in various places for various versions of ISA & Exchange, the answers seem to vary. Even some of the articles here seem to contradict each other depending on configuration changes, so I thought it best if I seek expert opinions :)
Using Tom's ISA2000 book some years ago, I set up a happily working ISA configuration where the ISA2k server was in its own Workgroup and served my web access needs for many years.
This is a small setup of 3 servers and 20 stations. At the moment, I have a working ISA 2004 configuration whereby I have an internal network, and a DMZ. * The ISA server is not in the domain. * The sole machine in the DMZ is an IIS server that is a member server in the AD domain.
As outlined above, I've now upgraded to ISA2004. The new ISA server is still in its own Workgroup, in Edge Firewall mode with policy rules that allow the domain member server located in the DMZ to access the AD information (currently only to validate FTP access)
My two questions are :- * Did I misconfigure my ISA2004 server by putting it in its own Workgroup (a configuration decision inherited from the ISA2k config) or is that still the 'correct' choice in small deployments like mine?
* I plan on adding Exchange to the (currently in the DMZ) member server. Should my (single) Exchange server be in the DMZ or in the Internal network?
PS. Originally I considered posting this in the Exchange forum but since it's technically a deployment question, I thought posting it here was the best bet.
I'd been through that article chain, which is great because it is virtually exactly the network structure I am using. That article was in fact one of the things that prompted me to ask my questions - in it, Tom says that he has written the article because he has seen lots of queries about that sort of configuration.
My question is whether that is the best configuration choice for that network layout, or whether the article has been written to help the people that already have that layout and need to make their configurations match the existing installation, rather than redesigning their installation into the best choice.
ie Is the article an example of best practices for a small network, or is it an example of how to make a sub-optimal configuration work most effectively?