FE/BE architecture does not dictate DMZ placement. The other advantage for FE/BE is process distribution. Place your FE behind ISA and enjoy the dual benefits. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] Sent: Tuesday, April 12, 2005 10:16 To: [ISAserver.org Discussion List] Subject: [isalist] RE: 3homed ISA Securing Mail http://www.ISAserver.org Hi Jim, At 21:09 11/04/2005, you wrote: >http://www.ISAserver.org > >The issue is trading apparent security for additional management. >It is *possible* to have domain traffic cross your ISA 2004 firewall, >but the important question is "why do you want to". I really would not, but I can't leave my mailboxes on the DMZ and I need to have a commom user database for authentication (AD on the LAN). I can accesss it via Radius or LDAP/kerberos. A general solution for mail systems (to don't leave mailboxes on the DMZ) is FE/BE architectures ok? >If your argument for planting the Exch FE in a DMZ is "what if it's >compromised (yakkitty-yak)?", then you've gained nothing because Exch >requires that you have to create policies that allow this machine to >access your AD anyway. Ok I agree exchange server has a complicated communication with the DC! but what to do? using other mail systems like linux/postfix or other, they negotiate FE/BE intercomunications better? Publish the mail server and planting it on the LAN no condition, ok! What's is your suggestion? >Better that you simply place ISA between the Exch FW and the BOBOI in >the first place. If I understand (exch FW? -->means exchange firewall?, BOBOI? --->means internal LAN?) You suggest put exchange on DMZ, leave mailboxes on it and duplicate user/password database form AD, i.e, every new user add in external and external AD? Thanks for you feedback Jim, Daniel. >------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! >------------------------------------------------------- > >-----Original Message----- >From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] >Sent: Monday, April 11, 2005 16:40 >To: [ISAserver.org Discussion List] >Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ > >http://www.ISAserver.org > > >I read Tom article at isaserver.org about exch2003/ISA2004 intradomain >communication publishing. >I Thinking about upgrade my isa server to 2004. >As I uderstand It seems a good design if you have back-to-back >firewalls, and you didn't have 2 machines an 2 Exch2003 licences for >exchange BE/FE. > >I agree is not the better design (exch03 at DMZ an member of internal >domain), Jim Harrison points that its bad solution, and TOM too make >apoints about it. > >What's a good solution, FE/BE exchange only? > >If I have only one Exchange/BE on the LAN, member server, member of the >internal domain, its possible use for FE (win2003 smtp service) or a >linux Box? > >thanks, > >Daniel > > > > >=========================================== > >-----Original Message----- > >My Bad! I thought it was 2004 :( > >Tom >www.isaserver.org/shinder >Tom and Deb Shinder's Configuring ISA Server 2004 >http://tinyurl.com/3xqb7 >MVP -- ISA Firewalls > >http://www.ISAserver.org > >-----Original Message----- >Hi Daniel, > > >Check the chapter in the ISA/Exchange Kit on how to allow the >intradomain communications between the DMZ and the Default Internal >Network. Its also in the book and might be on the ISAserver.org Web site >as well. > >HTH, > >-----Original Message----- >From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] >Sent: Saturday, April 09, 2005 10:23 AM >To: [ISAserver.org Discussion List] >Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ, wich port I >need to publish that the exchsrv can user the internal LAN AD/DC > > >http://www.ISAserver.org > > >Bad Daniel: >http://support.microsoft.com/?id=329807 > > >------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! >------------------------------------------------------- > >-----Original Message----- >From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] >Sent: Saturday, April 09, 2005 00:32 >To: [ISAserver.org Discussion List] >Subject: [isalist] 3homed ISA-2000 + Exch-2003 in DMZ, wich port I need >to publish that the exchsrv can user the internal LAN AD/DC > > >http://www.ISAserver.org > > >Publish Exch2003 services (pop3,smtp,imap,owa) in DMZ, its OK for me. > > >Which ports I need to publish that the AD/Domain Controller >on the privante LAN can be accessed by the exchange server from >DMZ, and use it de AD as users database (rpc,kerberos, ...), i.e, >the Exch server will join as member of internat AD domain. > > > >Thanks, > > >Daniel. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.