RE: 3homed ISA Securing Mail

At 14:42 12/04/2005, you wrote:

http://www.ISAserver.org

FE/BE architecture does not dictate DMZ placement.
The other advantage for FE/BE is process distribution.

OK

Place your FE behind ISA and enjoy the dual benefits.

You mean put exchange server on the private LAN and publish its services on ISA public interface (pop3,smtp,OWA,Imap, HTTPs/RPC)?


Thanks,

Daniel


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------


-----Original Message----- From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] Sent: Tuesday, April 12, 2005 10:16 To: [ISAserver.org Discussion List] Subject: [isalist] RE: 3homed ISA Securing Mail

http://www.ISAserver.org

Hi Jim,

At 21:09 11/04/2005, you wrote:
>http://www.ISAserver.org
>
>The issue is trading apparent security for additional management.
>It is *possible* to have domain traffic cross your ISA 2004 firewall,
>but the important question is "why do you want to".

I really would not, but I can't leave my mailboxes on the DMZ and I need
to
have
a commom user database for authentication (AD on the LAN). I can accesss
it
via Radius or LDAP/kerberos.

A general  solution for mail systems (to don't leave mailboxes on the
DMZ)
is FE/BE architectures ok?

>If your argument for planting the Exch FE in a DMZ is "what if it's
>compromised (yakkitty-yak)?", then you've gained nothing because Exch
>requires that you have to create policies that allow this machine to
>access your AD anyway.

Ok I agree exchange server has a complicated communication with the DC!

but what to do? using other mail systems like linux/postfix or other,
they
negotiate FE/BE intercomunications better?

Publish the mail server and planting it on the LAN no condition, ok!

What's is your suggestion?


>Better that you simply place ISA between the Exch FW and the BOBOI in >the first place.

If I understand (exch FW? -->means exchange firewall?,  BOBOI? --->means

internal LAN?)
You suggest put exchange on DMZ, leave mailboxes on it and duplicate
user/password database
form AD, i.e, every new user add in external and external AD?


Thanks for you feedback Jim,

Daniel.


>------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! >------------------------------------------------------- > >-----Original Message----- >From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] >Sent: Monday, April 11, 2005 16:40 >To: [ISAserver.org Discussion List] >Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ > >http://www.ISAserver.org > > >I read Tom article at isaserver.org about exch2003/ISA2004 intradomain >communication publishing. >I Thinking about upgrade my isa server to 2004. >As I uderstand It seems a good design if you have back-to-back >firewalls, and you didn't have 2 machines an 2 Exch2003 licences for >exchange BE/FE. > >I agree is not the better design (exch03 at DMZ an member of internal >domain), Jim Harrison points that its bad solution, and TOM too make >apoints about it. > >What's a good solution, FE/BE exchange only? > >If I have only one Exchange/BE on the LAN, member server, member of the >internal domain, its possible use for FE (win2003 smtp service) or a >linux Box? > >thanks, > >Daniel > > > > >=========================================== > >-----Original Message----- > >My Bad! I thought it was 2004 :( > >Tom >www.isaserver.org/shinder >Tom and Deb Shinder's Configuring ISA Server 2004 >http://tinyurl.com/3xqb7 >MVP -- ISA Firewalls > >http://www.ISAserver.org > >-----Original Message----- >Hi Daniel, > > >Check the chapter in the ISA/Exchange Kit on how to allow the >intradomain communications between the DMZ and the Default Internal >Network. Its also in the book and might be on the ISAserver.org Web site >as well. > >HTH, > >-----Original Message----- >From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] >Sent: Saturday, April 09, 2005 10:23 AM >To: [ISAserver.org Discussion List] >Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ, wich port I >need to publish that the exchsrv can user the internal LAN AD/DC > > >http://www.ISAserver.org > > >Bad Daniel: >http://support.microsoft.com/?id=329807 > > >------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! >------------------------------------------------------- > >-----Original Message----- >From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] >Sent: Saturday, April 09, 2005 00:32 >To: [ISAserver.org Discussion List] >Subject: [isalist] 3homed ISA-2000 + Exch-2003 in DMZ, wich port I need >to publish that the exchsrv can user the internal LAN AD/DC > > >http://www.ISAserver.org > > >Publish Exch2003 services (pop3,smtp,imap,owa) in DMZ, its OK for me. > > >Which ports I need to publish that the AD/Domain Controller >on the privante LAN can be accessed by the exchange server from >DMZ, and use it de AD as users database (rpc,kerberos, ...), i.e, >the Exch server will join as member of internat AD domain. > > > >Thanks, > > >Daniel.



Other related posts: