From: United Kingdom
Yes, and you still don't seem to understand the role of the CSS - did you read the documents I linked you to? The CSS has ABSOLUTELY no involvement in user authentication or firewall traffic flow...it mearly provides a configuration storage point for the ISA data.
As you getting confused and assuming you can use the ADAM instance for user credential storage? If so, you can't. The ADAM instance that is installed as part of ISA is a customised version of ADAM specifically for ISA Server. It is not just a generic ADAM instance that can be used for other things.
No offence, but I don't think your propsed design is ideal. Using ISA Server in workgroup mode is not the best security model and has some serious implications, a single CSS being one you have already found. I assume you are also planning on using ISA Server in unihomed (single NIC) mode? Personally, I never understood the idea of placing an application-layer (layer7) firewall between network-level firewalls (layer3) as ultimately the layer3 back firewall often just becoming swiss cheese with open ports in order for the layer7 firewall to provide full value - you could also question the front firewall as in most cases all it does is pass encrypoted traffic to ISA, not exactly adding a lot of value. Always place the most intelligent firewall closes to your data...in this case, place ISA server closest to Exchange, not stuck in the DMZ.
If you have to go with this DMZ model, you should be looking at using ISA Server LDAP(S) authentication from ISA Server to your internal domain controllers. This is a good compromise if you are not willing to place ISA in the domain, and allows for pre-authentication and delegation to for Exchange. Another issue yo umay not be aware of is that if ISA is not a domain memeber, you cannot use a feature called Kerberos Constained Delegation (KCD) which provides an awful lot of benefit if you are looking at new applications like Exchange 2007.
You may want to review the following article, as fear of placing ISA Server in the domain is a common misconception:
Personally I would look at making ISA server a domain member with at least three networks interfaces (external, internal and intra-array). You can then either place ISA as a back firewall behind your exiting edge firewall, or if this is not possible, place it in bridging mode between your DMZ and the LAN. You can then start with at least two CSS servers to provide fault tolerance. In this model, ISA Server would be a member of the domain and the CSS servers would also be domain members.
I have a customer with approx 35k users where ISA is acting as an internal/external firewall for all Exchange applicaitons and is a very buys array, this includes OWA, Outlook Anywhere, POP3, IMAP, Outlook MAPI. The array consists of 4 members using reasonable standard server hardware (dual cpu, 2GB RAM, RAID1 disks etc).
I would start by using the ISA Server capacity planner here: http://www.microsoft.com/isaserver/capacityplanner.swf
If you scale it properly, I see no reason why the array couldn't also support SPS/OCS. Why don't you start with OWA, baseline the servers, see how they are coping and then start adding addtitional web publishing for SPS, then OCS. If you need to, you can always scale out the array dynamically by just adding new array members. This can be done pretty quickly and involves little downtime.
< Message edited by Jason Jones -- 20.Mar.2008 6:11:34 AM >
Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/