I currently have a unihomed ISA server in a workgroup in the perimeter network. The ISA server is primarily used to publish Exchange 2007 OWA and ActiveSync, and also TS Gateway. I would like to explore certificate based authentication and also NTLM authentication for Outlook Anywhere, which require the ISA server to be a domain member.
However, I'm having trouble finding resources which outline the best practices to acheive this, and I'm having trouble convincing hte firewall guys that this is the way to go.
Are there any Microsoft (i.e. TechNet) guides which explain the best practice configuration for deploying a domain-joined ISA server?
Our current network configuration is this:
Internet <-> External Firewall <-> ISA Server <-> Internal Firewall <-> Internal network
I'm open to dual-homing the ISA server in the DMZ and internal network, or outright moving the ISA server to the internal network, but I really need some documentation to point me on the right path.
From: United Kingdom
Best practice IMHO would be to place ISA in parallel to your existing internal firewall or "bridge it" between a DMZ and the LAN. These may actually be the same thing depending upon whether you class the area between your external and internal firewall as the DMZ, or whether you are referring to a dedicated DMZ interface on one of the existing firewalls.
Here is an MS article that talks about 'DMZ=>LAN bridging mode' for ISA:
ISA provides the best protection by being placed closest to the assets your are protecting - domain membership further strenghtens this security by allowing ISA to use its in-built applications filters to best affect (RPC, DNS which are relevant for AD comms) and also provide strong authentication with things like KCD and cert auth.