RE: 3homed ISA Securing Mail

  • From: Daniel <daniel@xxxxxxxxxxxxxxxx>
  • To: isalist@xxxxxxxxxxxxx
  • Date: Tue, 12 Apr 2005 14:15:43 -0300

Hi Jim,

At 21:09 11/04/2005, you wrote: 
http://www.ISAserver.org

The issue is trading apparent security for additional management.
It is *possible* to have domain traffic cross your ISA 2004 firewall,
but the important question is "why do you want to".

I really would not, but I can't leave my mailboxes on the DMZ and I need to have
a commom user database for authentication (AD on the LAN). I can accesss it via Radius or LDAP/kerberos.

A general solution for mail systems (to don't leave mailboxes on the DMZ) is FE/BE architectures ok?

If your argument for planting the Exch FE in a DMZ is "what if it's
compromised (yakkitty-yak)?", then you've gained nothing because Exch
requires that you have to create policies that allow this machine to
access your AD anyway.


Ok I agree exchange server has a complicated communication with the DC!

but what to do? using other mail systems like linux/postfix or other, they
negotiate FE/BE intercomunications better?

Publish the mail server and planting it on the LAN no condition, ok!

What's is your suggestion?


Better that you simply place ISA between the Exch FW and the BOBOI in
the first place.

If I understand (exch FW? -->means exchange firewall?, BOBOI? --->means internal LAN?)
You suggest put exchange on DMZ, leave mailboxes on it and duplicate user/password database
form AD, i.e, every new user add in external and external AD?


Thanks for you feedback Jim,

Daniel.


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------

-----Original Message-----
From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx]
Sent: Monday, April 11, 2005 16:40
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ

http://www.ISAserver.org


I read Tom article at isaserver.org about exch2003/ISA2004 intradomain
communication publishing.
I Thinking about upgrade my isa server to 2004.
As I uderstand It seems a good design if you have back-to-back
firewalls, and you didn't have 2 machines an 2 Exch2003 licences for
exchange BE/FE.

I agree is not the better design (exch03 at DMZ an member of internal
domain), Jim Harrison points that its bad solution, and TOM too make
apoints about it.

What's a good solution, FE/BE exchange only?

If I have only one Exchange/BE on the LAN, member server, member of the
internal domain, its possible use for FE (win2003 smtp service) or a
linux Box?

thanks,

Daniel




===========================================

-----Original Message-----

My Bad! I thought it was 2004 :(

Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

http://www.ISAserver.org

-----Original Message-----
Hi Daniel,


Check the chapter in the ISA/Exchange Kit on how to allow the
intradomain communications between the DMZ and the Default Internal
Network. Its also in the book and might be on the ISAserver.org Web site
as well.

HTH,

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Saturday, April 09, 2005 10:23 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ, wich port I
need to publish that the exchsrv can user the internal LAN AD/DC


http://www.ISAserver.org


Bad Daniel:
http://support.microsoft.com/?id=329807


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------

-----Original Message-----
From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx]
Sent: Saturday, April 09, 2005 00:32
To: [ISAserver.org Discussion List]
Subject: [isalist] 3homed ISA-2000 + Exch-2003 in DMZ, wich port I need
to publish that the exchsrv can user the internal LAN AD/DC


http://www.ISAserver.org


Publish Exch2003 services (pop3,smtp,imap,owa) in DMZ, its OK for me.


Which ports I need to publish that the AD/Domain Controller
on the privante LAN can be accessed by the exchange server from
DMZ, and use it de AD as users database (rpc,kerberos, ...), i.e,
the Exch server will join as member of internat AD domain.



Thanks,


Daniel.



Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 04-2005