• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

What to do?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> What to do? Page: [1]
Login
Message << Older Topic   Newer Topic >>
What to do? - 9.Jul.2007 11:05:38 AM   
mnl

 

Posts: 2
Joined: 9.Jul.2007
Status: offline
Hi.

I have a ASA 5510 which protects our Exchange 2003 server and people can logon to the internal network via VPN. Now we want a web server and we are also upgrading to Exchange 2007 and making the network more secure. The plan is still to use VPN for employees, but to make a DMZ zone where the web server and exchange edge transport server lives. Inside our protected internal network lives a exchange CAS, so users with no VPN access can access mail via OWA. How/where should we use ISA 2006 to protect this system, so that users using OWA goes through the ISA? Should it be in the ASA DMZ zone or should it be a back-to-back DMZ thing?

Link to layout idea.

Regards Morten.

< Message edited by mnl -- 9.Jul.2007 11:18:34 AM >
Post #: 1
RE: What to do? - 18.Jul.2007 4:10:51 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The ASA adds no security to the ISA Firewall, so there's no reason for a back to back.

Best config is a parallel config -- the ASA and the ISA Firewall are both on the edge, with public addresses. Then the OWA users come in via the ISA Firewall and the other traffic goes through the ASA. You might consider using the ISA Firewall for outbound access control, since it does a much better job than the ASA.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mnl)
Post #: 2
RE: What to do? - 19.Jul.2007 9:45:35 AM   
mnl

 

Posts: 2
Joined: 9.Jul.2007
Status: offline
Hi Tom.

Just to be sure. Our web server and Exchange Edge Transport server would still be placed in the ASA's DMZ zone?

Regards Morten.

(in reply to tshinder)
Post #: 3
RE: What to do? - 23.Jul.2007 8:57:38 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Morten,

Actually, a much more secure configuration would be to put them in an ISA Firewall DMZ -- that way you have preauthentication access control and deep packet and application layer inspection provided by the ISA Firewall, thing that the ASA can't do for OWA.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mnl)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> What to do? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts