That's a good idea for SMTP. What about OWA FE? The only choices I see are 1) publishing it on the internal firewall and allow incoming HTTP on outside firewall, or 2) putting it in the perimeter network with a VPN to the ISA firewall. In either case an http attack getting past the external firewall and compromising the OWA server, would have access to the internal net. ----- Original Message ----- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" isalist@xxxxxxxxxxxxxx, August 10, 2001 12:14 PM Subject: [isalist] Re: DNS Subnet question with DMZ http://www.ISAserver.org Hi Jay, NO benefit from putting Exchange on the DMZ. But an SMTP server on the DMZ, and have that SMTP server RELAY to a publish Exchange Server. Publish the Exchange Server and make is available ONLY to the SMTP server on the DMZ. HTH, Tom www.isaserver.org/shinder Thomas W Shinder, M.D., MCSE, MCT -----Original Message----- From: Jay [mailto:jschwarzkopf@xxxxxxxxxx] Sent: Friday, August 10, 2001 9:18 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: DNS Subnet question with DMZ http://www.ISAserver.org Is there a benefit of putting E2k (or any server) on DMZ, over just publishing it from internal net? ----- Original Message ----- From: Jim Harrison To: [ISAserver.org Discussion List] Sent: Friday, August 10, 2001 9:38 AM Subject: [isalist] Re: DNS Subnet question with DMZ http://www.ISAserver.org Unfortunately, the best you can do for the DMZ server is a single IP with the set you're given. Since the DMZ in a three--homed ISA is a subnet of the external subnet, you have to use a /30 mask for the DMZ, giving you only 2 usable IPs; one for the ISA DMZ NIC and one left for a server. Is the Exchange server an E2K variation? If so, placing it in the DMZ is more trouble than it's worth, given the issues related to AD membership across a firewall. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: cismic To: [ISAserver.org Discussion List] Sent: Thursday, August 09, 2001 9:51 PM Subject: [isalist] DNS Subnet question with DMZ http://www.ISAserver.org I also posted this to the message boards. Sorry for the duplication. Just thought I'd see if anyone was online tonight with some ideas. J Hello, I'm using 10.0.0.1 for illustration: I have 10.0.0.1/29 (8 IPs, 32 per C) as my ip address. IP'S .1 and .8 are being used by my ISP. .7 is assigned to my CISCO 776M ISDN router. That leaves me with 5 ip address to use. .2, .3, .4, .5, .6 EXT NIC 1. = .2 DMZ NIC 1. = .3 DMZ servers would be .4, .5, .6 If I split those into something like the following .4 sql .5 web .6 DNS I run out of address and won't be able to place my exchange server in the dmz. and Internal NIC private could be 10.0.1.0 Is there another method that will work just as well so I can publish my Exchange server? ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jschwarzkopf@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jschwarzkopf@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')