OK security gurus, there are two schools of thought on ISA topology and I would like to get as much information on behalf of an Enterprise client of mine that I am currently the PM / Consultant for concerning an ISA / OWA install.
1. Microsoft recommends Front-End Exchange server IN the DMZ hosting OWA and port 80/443 open to the Back-End Exchange server as well as port 3268 for GC/authentication. That seems totally wrong from a port perspective. What about DNS, RPC, SMTP, LDAP and others?
2. Tom Shinder recommends NEVER putting the front end in the DMZ because it is joined to the domain and and presents a domain rights issue and valid security risks. However conventional wisdom says to NEVER put a webserver (OWA) no matter how secured anywhere but in a DMZ due to the substantial risk of Nimbda / Code Red type attacks as well as the myriad other web exploits. Frankly, as a security professional I'm inclined to side with Tom on this issue.
My client topology is as follows:
Windows 2000 Server / Exchange 2000 / IIS 5.0
1. F5 BIG IP 1000 Load Balancer on the front end. 2. Cisco PIX 515 as the perimeter security w/ DMZ 3. Front-End OWA currently running on corporate LAN, but can be moved to the DMZ if necessary. 4. Surf Control device (can be made redundant by ISA I know) inside Corporate LAN for filtering content to clients.
Large healthcare facility with HIPAA compliance and all and I'm just looking for any feedback as to any and all solutions to properly mitigate risk in good faith / due diligence. Thanks for your input guys. I know I'm asking the best brains out there!
If you only require reverse proxy, using a back end ISA. The allows you to leverage the layer 7 protection ISA provides to the corporate network and provides a good degree of psychotherapy to the pix enthusiasts who believe that packet filtering firewalls are secure
RE: Discussion for ISA Server Exchange Kit Topologies a... - 22.Mar.2005 1:47:00 PM
Hello, first let me say how I appreciate all the guidlines and tutorials about ISAserver and beyond. My question is the following: The ISA2000 kit for Exchange 2000/2003, is it pretty much the same for ISA2004. I had a quick look at ISA2004 and it looks very different as opposed to ISA2000.