RE: OWA without ISA server

  • From: "adrian bolzan" <abolzan@xxxxxxxxxxxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 9 Jun 2005 09:54:29 +1000

Hi Rick,

Thanks for your reply.
I now have budgetary approval for ISA although it will still be a while
before the funds are available.
My plan would be to implement ISA as a second layer, using my packet
filetring firewall as the first line of defence, taking into accounts
recent posts on the ISAserver list that suggests that this is not
absolutely necessary.

The swiss-cheese effect is of some concern but , as you say, careful
monitoring together with patch management should alleviate most
concerns. 
I appreciate your comments, which give me some further food for thought.

cheers,
Adrian



________________________________

        From: Rick Boza [mailto:rickb@xxxxxxxxxxxxxxx]
        Sent: Wednesday, 8 June 2005 11:35 AM
        To: [ExchangeList]
        Subject: [exchangelist] RE: OWA without ISA server


        http://www.MSExchange.org/

        To answer your original question, the scenario you paint is
inherently more risky than using some sort of proxy capability in the
DMZ.
        
        That's not to say it can't be operated securely - it can - but
it takes much more care and feeding.  You want to monitor the traffic on
all those ports you opened up, you should understand the traffic models
you expect to see across those ports, and your internal firewall is
Swiss-cheesed to support the DC and RPC communications.
        
        The neat thing about ISA - well there are several neat things,
but in this instance - would be the reduction in number of ports you
actually need to open up between the DMZ and your front-end server.
Exactly one, in fact, which is pretty nifty compared to what you are
using now!
        
        Again, it can be done and done securely and well, but an ISA
solution is much more robust.  The thing is, you need to think of the
ISA box not as a firewall in this scenario, but as an extension to your
messaging infrastructure.
        
        Hope that helps!
        
        Rick



============================================================
IMPORTANT - This email and any attachments is confidential.
If received in error, please contact the sender and delete
all copies of this email. Please note that any use,
dissemination, further distribution or reproduction of this
message in any form is strictly prohibited. Before opening or
using attachments, check them for viruses and defects.
Regardless of any loss, damage or consequence, whether caused
by the negligence of the sender or not, resulting directly or
indirectly from the use of any attached files, our liability
is limited to resupplying any affected attachments. 
Any representations or opinions expressed in this email are
those of the individual sender, and not necessarily those
of the Capital Transport Services.
============================================================

Other related posts: