RE: 3homed ISA Securing Mail
- From: Daniel <daniel@xxxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Tue, 12 Apr 2005 14:15:43 -0300
Hi Jim,
At 21:09 11/04/2005, you wrote:
http://www.ISAserver.org
The issue is trading apparent security for additional management.
It is *possible* to have domain traffic cross your ISA 2004 firewall,
but the important question is "why do you want to".
I really would not, but I can't leave my mailboxes on the DMZ and I need to
have
a commom user database for authentication (AD on the LAN). I can accesss it
via Radius or LDAP/kerberos.
A general solution for mail systems (to don't leave mailboxes on the DMZ)
is FE/BE architectures ok?
If your argument for planting the Exch FE in a DMZ is "what if it's
compromised (yakkitty-yak)?", then you've gained nothing because Exch
requires that you have to create policies that allow this machine to
access your AD anyway.
Ok I agree exchange server has a complicated communication with the DC!
but what to do? using other mail systems like linux/postfix or other, they
negotiate FE/BE intercomunications better?
Publish the mail server and planting it on the LAN no condition, ok!
What's is your suggestion?
Better that you simply place ISA between the Exch FW and the BOBOI in
the first place.
If I understand (exch FW? -->means exchange firewall?, BOBOI? --->means
internal LAN?)
You suggest put exchange on DMZ, leave mailboxes on it and duplicate
user/password database
form AD, i.e, every new user add in external and external AD?
Thanks for you feedback Jim,
Daniel.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx]
Sent: Monday, April 11, 2005 16:40
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ
http://www.ISAserver.org
I read Tom article at isaserver.org about exch2003/ISA2004 intradomain
communication publishing.
I Thinking about upgrade my isa server to 2004.
As I uderstand It seems a good design if you have back-to-back
firewalls, and you didn't have 2 machines an 2 Exch2003 licences for
exchange BE/FE.
I agree is not the better design (exch03 at DMZ an member of internal
domain), Jim Harrison points that its bad solution, and TOM too make
apoints about it.
What's a good solution, FE/BE exchange only?
If I have only one Exchange/BE on the LAN, member server, member of the
internal domain, its possible use for FE (win2003 smtp service) or a
linux Box?
thanks,
Daniel
===========================================
-----Original Message-----
My Bad! I thought it was 2004 :(
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
http://www.ISAserver.org
-----Original Message-----
Hi Daniel,
Check the chapter in the ISA/Exchange Kit on how to allow the
intradomain communications between the DMZ and the Default Internal
Network. Its also in the book and might be on the ISAserver.org Web site
as well.
HTH,
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Saturday, April 09, 2005 10:23 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ, wich port I
need to publish that the exchsrv can user the internal LAN AD/DC
http://www.ISAserver.org
Bad Daniel:
http://support.microsoft.com/?id=329807
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx]
Sent: Saturday, April 09, 2005 00:32
To: [ISAserver.org Discussion List]
Subject: [isalist] 3homed ISA-2000 + Exch-2003 in DMZ, wich port I need
to publish that the exchsrv can user the internal LAN AD/DC
http://www.ISAserver.org
Publish Exch2003 services (pop3,smtp,imap,owa) in DMZ, its OK for me.
Which ports I need to publish that the AD/Domain Controller
on the privante LAN can be accessed by the exchange server from
DMZ, and use it de AD as users database (rpc,kerberos, ...), i.e,
the Exch server will join as member of internat AD domain.
Thanks,
Daniel.
Other related posts:
- » RE: 3homed ISA Securing Mail
- » RE: 3homed ISA Securing Mail
- » RE: 3homed ISA Securing Mail
- » RE: 3homed ISA Securing Mail
http://www.ISAserver.org
The issue is trading apparent security for additional management. It is *possible* to have domain traffic cross your ISA 2004 firewall, but the important question is "why do you want to".
If your argument for planting the Exch FE in a DMZ is "what if it's compromised (yakkitty-yak)?", then you've gained nothing because Exch requires that you have to create policies that allow this machine to access your AD anyway.
Ok I agree exchange server has a complicated communication with the DC!
Better that you simply place ISA between the Exch FW and the BOBOI in the first place.
Thanks for you feedback Jim,
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message----- From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] Sent: Monday, April 11, 2005 16:40 To: [ISAserver.org Discussion List] Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ
http://www.ISAserver.org
I read Tom article at isaserver.org about exch2003/ISA2004 intradomain communication publishing. I Thinking about upgrade my isa server to 2004. As I uderstand It seems a good design if you have back-to-back firewalls, and you didn't have 2 machines an 2 Exch2003 licences for exchange BE/FE.
I agree is not the better design (exch03 at DMZ an member of internal domain), Jim Harrison points that its bad solution, and TOM too make apoints about it.
What's a good solution, FE/BE exchange only?
If I have only one Exchange/BE on the LAN, member server, member of the internal domain, its possible use for FE (win2003 smtp service) or a linux Box?
thanks,
Daniel
===========================================
-----Original Message-----
My Bad! I thought it was 2004 :(
Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls
http://www.ISAserver.org
-----Original Message----- Hi Daniel,
Check the chapter in the ISA/Exchange Kit on how to allow the intradomain communications between the DMZ and the Default Internal Network. Its also in the book and might be on the ISAserver.org Web site as well.
HTH,
-----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Saturday, April 09, 2005 10:23 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ, wich port I need to publish that the exchsrv can user the internal LAN AD/DC
http://www.ISAserver.org
Bad Daniel: http://support.microsoft.com/?id=329807
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message----- From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] Sent: Saturday, April 09, 2005 00:32 To: [ISAserver.org Discussion List] Subject: [isalist] 3homed ISA-2000 + Exch-2003 in DMZ, wich port I need to publish that the exchsrv can user the internal LAN AD/DC
http://www.ISAserver.org
Publish Exch2003 services (pop3,smtp,imap,owa) in DMZ, its OK for me.
Which ports I need to publish that the AD/Domain Controller on the privante LAN can be accessed by the exchange server from DMZ, and use it de AD as users database (rpc,kerberos, ...), i.e, the Exch server will join as member of internat AD domain.
Thanks,
Daniel.