RE: 3homed ISA Securing Mail
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 12 Apr 2005 10:42:17 -0700
FE/BE architecture does not dictate DMZ placement.
The other advantage for FE/BE is process distribution.
Place your FE behind ISA and enjoy the dual benefits.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx]
Sent: Tuesday, April 12, 2005 10:16
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 3homed ISA Securing Mail
http://www.ISAserver.org
Hi Jim,
At 21:09 11/04/2005, you wrote:
>http://www.ISAserver.org
>
>The issue is trading apparent security for additional management.
>It is *possible* to have domain traffic cross your ISA 2004 firewall,
>but the important question is "why do you want to".
I really would not, but I can't leave my mailboxes on the DMZ and I need
to
have
a commom user database for authentication (AD on the LAN). I can accesss
it
via Radius or LDAP/kerberos.
A general solution for mail systems (to don't leave mailboxes on the
DMZ)
is FE/BE architectures ok?
>If your argument for planting the Exch FE in a DMZ is "what if it's
>compromised (yakkitty-yak)?", then you've gained nothing because Exch
>requires that you have to create policies that allow this machine to
>access your AD anyway.
Ok I agree exchange server has a complicated communication with the DC!
but what to do? using other mail systems like linux/postfix or other,
they
negotiate FE/BE intercomunications better?
Publish the mail server and planting it on the LAN no condition, ok!
What's is your suggestion?
>Better that you simply place ISA between the Exch FW and the BOBOI in
>the first place.
If I understand (exch FW? -->means exchange firewall?, BOBOI? --->means
internal LAN?)
You suggest put exchange on DMZ, leave mailboxes on it and duplicate
user/password database
form AD, i.e, every new user add in external and external AD?
Thanks for you feedback Jim,
Daniel.
>-------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>-------------------------------------------------------
>
>-----Original Message-----
>From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx]
>Sent: Monday, April 11, 2005 16:40
>To: [ISAserver.org Discussion List]
>Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ
>
>http://www.ISAserver.org
>
>
>I read Tom article at isaserver.org about exch2003/ISA2004 intradomain
>communication publishing.
>I Thinking about upgrade my isa server to 2004.
>As I uderstand It seems a good design if you have back-to-back
>firewalls, and you didn't have 2 machines an 2 Exch2003 licences for
>exchange BE/FE.
>
>I agree is not the better design (exch03 at DMZ an member of internal
>domain), Jim Harrison points that its bad solution, and TOM too make
>apoints about it.
>
>What's a good solution, FE/BE exchange only?
>
>If I have only one Exchange/BE on the LAN, member server, member of the
>internal domain, its possible use for FE (win2003 smtp service) or a
>linux Box?
>
>thanks,
>
>Daniel
>
>
>
>
>===========================================
>
>-----Original Message-----
>
>My Bad! I thought it was 2004 :(
>
>Tom
>www.isaserver.org/shinder
>Tom and Deb Shinder's Configuring ISA Server 2004
>http://tinyurl.com/3xqb7
>MVP -- ISA Firewalls
>
>http://www.ISAserver.org
>
>-----Original Message-----
>Hi Daniel,
>
>
>Check the chapter in the ISA/Exchange Kit on how to allow the
>intradomain communications between the DMZ and the Default Internal
>Network. Its also in the book and might be on the ISAserver.org Web
site
>as well.
>
>HTH,
>
>-----Original Message-----
>From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
>Sent: Saturday, April 09, 2005 10:23 AM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ, wich port I
>need to publish that the exchsrv can user the internal LAN AD/DC
>
>
>http://www.ISAserver.org
>
>
>Bad Daniel:
>http://support.microsoft.com/?id=329807
>
>
>-------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>-------------------------------------------------------
>
>-----Original Message-----
>From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx]
>Sent: Saturday, April 09, 2005 00:32
>To: [ISAserver.org Discussion List]
>Subject: [isalist] 3homed ISA-2000 + Exch-2003 in DMZ, wich port I need
>to publish that the exchsrv can user the internal LAN AD/DC
>
>
>http://www.ISAserver.org
>
>
>Publish Exch2003 services (pop3,smtp,imap,owa) in DMZ, its OK for me.
>
>
>Which ports I need to publish that the AD/Domain Controller
>on the privante LAN can be accessed by the exchange server from
>DMZ, and use it de AD as users database (rpc,kerberos, ...), i.e,
>the Exch server will join as member of internat AD domain.
>
>
>
>Thanks,
>
>
>Daniel.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
