RE: Exchange front-end and back-end configuration thoughts...DMZ

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 15 Jun 2005 20:08:37 -0500

Hi Marvin,
That was specific for ISA Server 2000. ISA Server 2004 is like Check
Point, and the firewall policy and networking model is *completely*
different. 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: MarvinC [mailto:marvinc@xxxxxxxxx] 
Sent: Wednesday, June 15, 2005 8:04 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Exchange front-end and back-end configuration
thoughts...DMZ

http://www.ISAserver.org

Sorry Tom but I was referring to an article you wrote on creating a
poor man's DMZ found here:

http://www.windowsecurity.com/tutorials/Creating_a_Poor_Mans_DMZ_Part_1_
_Using_TCPIP_Security.html

In it you state: 

This concept of a separate and distinct security zone defines the DMZ.
People run into problems with this because they want to do things
like:

Use an MMC console to manage servers on the DMZ (allow RPC) 
Make DMZ servers members of the internal network domain (ouch!)
Allow Web servers on the DMZ access to database servers on the internal
network 
Terminate a VPN connection on a device upstream from the ISA Server
and then access the internal network from that host
Place an Outlook Web Access Front End server in the DMZ and a Back End
server on the internal network

All of these designs violate the integrity of the DMZ. DMZ hosts are
"sacrificial lambs" and you should expect them to be compromised. It
makes no sense to allow communications between DMZ hosts and the
internal network if you expect these hosts to be compromised (in
general, there may be exceptions).

I don't think there's anything wrong with it as we have a front-end
back-end setup at work. I'm simply trying to do the same thing on my
own network and run into problems with installing Exchange on the
front-end server. That problem is that I can't get the front-end
server to see the domain controller from that 172.16.0.x IP subnet.
I'm not trying to degrade anything written I'm simply searching for
ways to help me understand and diagnose my problem.
Any input you care to share is appreciated.


On 6/15/05, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> http://www.ISAserver.org
> 
> Hi Marvin,
> 
> Are you referring to a back to back ISA firewall config? It's a GREAT
> idea! I'd like to know which Cisco rep wrote the article you read? :-)
> 
> Thanks!
> Tom
> 
> -----Original Message-----
> From: MarvinC [mailto:marvinc@xxxxxxxxx]
> Sent: Wednesday, June 15, 2005 4:27 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Exchange front-end and back-end configuration
> thoughts...DMZ
> 
> http://www.ISAserver.org
> 
> I like the honeypot idea but have never set one up. Not sure about the
> FE BE isa setup because I don't have the boxes and I do want the
> message screener.
> 
> On 6/15/05, JosephK <josephk@xxxxxxxxx> wrote:
> > http://www.ISAserver.org
> >
> > Hi Marvin,
> > My configuration for exchange is like this.
> > FE_ISA >> HONEYPOT >> BE_ISA >> INTERNL >> Exchange.
> >
> > The front end publishes the Back end external nic card as the
exchange
> > server.  My back end ISA box publishes the INTERNAL nic card as the
> SMTP
> > since I'm using the message screener.  I'm also thinking about
adding
> > the message screener to my front end ISA. to make sure things don't
> get
> > into my honeypot as well.
> >
> >
> > -----Original Message-----
> > From: MarvinC [mailto:marvinc@xxxxxxxxx]
> > Sent: Wednesday, June 15, 2005 1:20 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Exchange front-end and back-end configuration
> > thoughts...DMZ
> >
> > http://www.ISAserver.org
> >
> > I'm wondering if anyone care to share their thoughts on configuring
an
> > Exchange 2003 front-end back-end setup. I've read a few articles,
well
> > one, that states this is a bad idea and I'm wondering if there are
> > other ways to do this using ISA2K4?
> > Any responses are appreciated.
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > josephk@xxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> marvinc@xxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
marvinc@xxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ

1. Home
2. isalist
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---