Discussion for ISA Server Exchange Kit Topologies article (Full Version)

All Forums >> [ISA Server 2000 General] >> Server Publishing



Message


tshinder -> Discussion for ISA Server Exchange Kit Topologies article (3.Nov.2003 4:10:00 AM)

This thread is for discussing the ISA Server Exchange Kit topologies article at http://isaserver.org/articles/isaexchangetopologies.html.

Thanks!
Tom

[ November 03, 2003, 11:02 AM: Message edited by: tshinder ]




sniper -> RE: Discussion for ISA Server Exchange Kit Topologies article (3.Nov.2003 4:27:00 AM)

wheres XXX?




tshinder -> RE: Discussion for ISA Server Exchange Kit Topologies article (3.Nov.2003 11:02:00 AM)

Hi Chris,

Ha! I knew I forgot something [Big Grin]

Fixed.

Thanks!
Tom




Dirky -> RE: Discussion for ISA Server Exchange Kit Topologies article (3.Nov.2003 2:36:00 PM)

Hi Tom, nice articles! Nice diagrams too, what did you use for those?

Thanks

Mike




tshinder -> RE: Discussion for ISA Server Exchange Kit Topologies article (3.Nov.2003 7:37:00 PM)

Hi Mike,

Thanks! I used Visio 2003. Nice stencils right out of the box!

Tom




-=v00d00=- -> RE: Discussion for ISA Server Exchange Kit Topologies article (20.Nov.2003 3:59:00 PM)

OK security gurus, there are two schools of thought on ISA topology and I would like to get as much information on behalf of an Enterprise client of mine that I am currently the PM / Consultant for concerning an ISA / OWA install.

1. Microsoft recommends Front-End Exchange server IN the DMZ hosting OWA and port 80/443 open to the Back-End Exchange server as well as port 3268 for GC/authentication. That seems totally wrong from a port perspective. What about DNS, RPC, SMTP, LDAP and others?

2. Tom Shinder recommends NEVER putting the front end in the DMZ because it is joined to the domain and and presents a domain rights issue and valid security risks. However conventional wisdom says to NEVER put a webserver (OWA) no matter how secured anywhere but in a DMZ due to the substantial risk of Nimbda / Code Red type attacks as well as the myriad other web exploits. Frankly, as a security professional I'm inclined to side with Tom on this issue.

My client topology is as follows:

Windows 2000 Server / Exchange 2000 / IIS 5.0

1. F5 BIG IP 1000 Load Balancer on the front end.
2. Cisco PIX 515 as the perimeter security w/ DMZ
3. Front-End OWA currently running on corporate LAN, but can be moved to the DMZ if necessary.
4. Surf Control device (can be made redundant by ISA I know) inside Corporate LAN for filtering content to clients.

Large healthcare facility with HIPAA compliance and all and I'm just looking for any feedback as to any and all solutions to properly mitigate risk in good faith / due diligence. Thanks for your input guys. I know I'm asking the best brains out there!

Regards,

[ November 20, 2003, 05:15 PM: Message edited by: -=v00d00=- ]




tshinder -> RE: Discussion for ISA Server Exchange Kit Topologies article (28.Nov.2003 3:34:00 PM)

Hi VooD,

If you only require reverse proxy, using a back end ISA. The allows you to leverage the layer 7 protection ISA provides to the corporate network and provides a good degree of psychotherapy to the pix enthusiasts who believe that packet filtering firewalls are secure [Wink]

HTH,
Tom




Guest -> RE: Discussion for ISA Server Exchange Kit Topologies article (22.Mar.2005 1:47:00 PM)

Hello, first let me say how I appreciate all the guidlines and tutorials about ISAserver and beyond.
My question is the following: The ISA2000 kit for Exchange 2000/2003, is it pretty much the same for ISA2004.
I had a quick look at ISA2004 and it looks very different as opposed to ISA2000.

Thanks

Benny




tshinder -> RE: Discussion for ISA Server Exchange Kit Topologies article (29.Mar.2005 2:46:00 PM)

Hi Benny,

Very, VERY different. Check it out over at www.microsoft.com/isaserver

HTH,
Tom




Page: [1]