At 14:42 12/04/2005, you wrote:
http://www.ISAserver.org
FE/BE architecture does not dictate DMZ placement. The other advantage for FE/BE is process distribution.
OK
Place your FE behind ISA and enjoy the dual benefits.
Thanks,
Daniel
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message----- From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] Sent: Tuesday, April 12, 2005 10:16 To: [ISAserver.org Discussion List] Subject: [isalist] RE: 3homed ISA Securing Mail
http://www.ISAserver.org
Hi Jim,
At 21:09 11/04/2005, you wrote: >http://www.ISAserver.org > >The issue is trading apparent security for additional management. >It is *possible* to have domain traffic cross your ISA 2004 firewall, >but the important question is "why do you want to".
I really would not, but I can't leave my mailboxes on the DMZ and I need to have a commom user database for authentication (AD on the LAN). I can accesss it via Radius or LDAP/kerberos.
A general solution for mail systems (to don't leave mailboxes on the DMZ) is FE/BE architectures ok?
>If your argument for planting the Exch FE in a DMZ is "what if it's >compromised (yakkitty-yak)?", then you've gained nothing because Exch >requires that you have to create policies that allow this machine to >access your AD anyway.
Ok I agree exchange server has a complicated communication with the DC!
but what to do? using other mail systems like linux/postfix or other, they negotiate FE/BE intercomunications better?
Publish the mail server and planting it on the LAN no condition, ok!
What's is your suggestion?
>Better that you simply place ISA between the Exch FW and the BOBOI in >the first place.
If I understand (exch FW? -->means exchange firewall?, BOBOI? --->means
internal LAN?) You suggest put exchange on DMZ, leave mailboxes on it and duplicate user/password database form AD, i.e, every new user add in external and external AD?
Thanks for you feedback Jim,
Daniel.
>------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! >------------------------------------------------------- > >-----Original Message----- >From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] >Sent: Monday, April 11, 2005 16:40 >To: [ISAserver.org Discussion List] >Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ > >http://www.ISAserver.org > > >I read Tom article at isaserver.org about exch2003/ISA2004 intradomain >communication publishing. >I Thinking about upgrade my isa server to 2004. >As I uderstand It seems a good design if you have back-to-back >firewalls, and you didn't have 2 machines an 2 Exch2003 licences for >exchange BE/FE. > >I agree is not the better design (exch03 at DMZ an member of internal >domain), Jim Harrison points that its bad solution, and TOM too make >apoints about it. > >What's a good solution, FE/BE exchange only? > >If I have only one Exchange/BE on the LAN, member server, member of the >internal domain, its possible use for FE (win2003 smtp service) or a >linux Box? > >thanks, > >Daniel > > > > >=========================================== > >-----Original Message----- > >My Bad! I thought it was 2004 :( > >Tom >www.isaserver.org/shinder >Tom and Deb Shinder's Configuring ISA Server 2004 >http://tinyurl.com/3xqb7 >MVP -- ISA Firewalls > >http://www.ISAserver.org > >-----Original Message----- >Hi Daniel, > > >Check the chapter in the ISA/Exchange Kit on how to allow the >intradomain communications between the DMZ and the Default Internal >Network. Its also in the book and might be on the ISAserver.org Web site >as well. > >HTH, > >-----Original Message----- >From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] >Sent: Saturday, April 09, 2005 10:23 AM >To: [ISAserver.org Discussion List] >Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ, wich port I >need to publish that the exchsrv can user the internal LAN AD/DC > > >http://www.ISAserver.org > > >Bad Daniel: >http://support.microsoft.com/?id=329807 > > >------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! >------------------------------------------------------- > >-----Original Message----- >From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] >Sent: Saturday, April 09, 2005 00:32 >To: [ISAserver.org Discussion List] >Subject: [isalist] 3homed ISA-2000 + Exch-2003 in DMZ, wich port I need >to publish that the exchsrv can user the internal LAN AD/DC > > >http://www.ISAserver.org > > >Publish Exch2003 services (pop3,smtp,imap,owa) in DMZ, its OK for me. > > >Which ports I need to publish that the AD/Domain Controller >on the privante LAN can be accessed by the exchange server from >DMZ, and use it de AD as users database (rpc,kerberos, ...), i.e, >the Exch server will join as member of internat AD domain. > > > >Thanks, > > >Daniel.