Hi Jim,
http://www.ISAserver.org
The issue is trading apparent security for additional management. It is *possible* to have domain traffic cross your ISA 2004 firewall, but the important question is "why do you want to".
If your argument for planting the Exch FE in a DMZ is "what if it's compromised (yakkitty-yak)?", then you've gained nothing because Exch requires that you have to create policies that allow this machine to access your AD anyway.
Ok I agree exchange server has a complicated communication with the DC!
but what to do? using other mail systems like linux/postfix or other, they negotiate FE/BE intercomunications better?
Publish the mail server and planting it on the LAN no condition, ok!
What's is your suggestion?
Better that you simply place ISA between the Exch FW and the BOBOI in the first place.
Thanks for you feedback Jim,
Daniel.
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message----- From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] Sent: Monday, April 11, 2005 16:40 To: [ISAserver.org Discussion List] Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ
http://www.ISAserver.org
I read Tom article at isaserver.org about exch2003/ISA2004 intradomain communication publishing. I Thinking about upgrade my isa server to 2004. As I uderstand It seems a good design if you have back-to-back firewalls, and you didn't have 2 machines an 2 Exch2003 licences for exchange BE/FE.
I agree is not the better design (exch03 at DMZ an member of internal domain), Jim Harrison points that its bad solution, and TOM too make apoints about it.
What's a good solution, FE/BE exchange only?
If I have only one Exchange/BE on the LAN, member server, member of the internal domain, its possible use for FE (win2003 smtp service) or a linux Box?
thanks,
Daniel
===========================================
-----Original Message-----
My Bad! I thought it was 2004 :(
Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls
http://www.ISAserver.org
-----Original Message----- Hi Daniel,
Check the chapter in the ISA/Exchange Kit on how to allow the intradomain communications between the DMZ and the Default Internal Network. Its also in the book and might be on the ISAserver.org Web site as well.
HTH,
-----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Saturday, April 09, 2005 10:23 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ, wich port I need to publish that the exchsrv can user the internal LAN AD/DC
http://www.ISAserver.org
Bad Daniel: http://support.microsoft.com/?id=329807
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message----- From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] Sent: Saturday, April 09, 2005 00:32 To: [ISAserver.org Discussion List] Subject: [isalist] 3homed ISA-2000 + Exch-2003 in DMZ, wich port I need to publish that the exchsrv can user the internal LAN AD/DC
http://www.ISAserver.org
Publish Exch2003 services (pop3,smtp,imap,owa) in DMZ, its OK for me.
Which ports I need to publish that the AD/Domain Controller on the privante LAN can be accessed by the exchange server from DMZ, and use it de AD as users database (rpc,kerberos, ...), i.e, the Exch server will join as member of internat AD domain.
Thanks,
Daniel.