I had back to back firewalls (only internal was ISA) and published HTTP and SMTP on internal server. Then I published the external nic of the internal firewall on the external firewall. This works.
I changed the configuration, though, and put a front-end E2k server/SMTP connector in the perimeter network. Just need to publish those on the external firewall, and publish appropriate ports (smtp, http, ldap, netlogon, rpc, kerboros, dns, etc) on the internal firewall.
I have read some opinions here (including from Tom Schinder) about using VPN from the perimeter servers into the private network, so you don't need to publish all those ports. I did this (there are some issues with getting the Exchange and Netlogon services running, even if you make them dependent on the RRAS service), and it does work.
HOWEVER, I don't have much faith in the security of this method. In effect, the VPN bypasses the internal firewall. So if compromised, the perimeter server would be quick gateway into private network.
Also, I think it is less stable, and more of an administrative nightmare.
Originally posted by Yves:
Hope someone can help me
I've got a back to back ISA configuration with a webserver in the DMZ. everything is ok for that.
the problem is I do not know how to configure ISA or which ISA server to publish my Exchange server placed in the internal network.
I published it with the inetrnal ISA, configure to open in/out smtp on both internal/external ISA servers but my mails do not get in/out.
Thanks for your help