Hi Edward, I like your methods, as they're the same as mine :-) The Exchange Server never gets direct inbound connections, and never makes direct outbound connections. SMTP relay is used for inbound and outbound messages and DNS is done by an internal DNS server. Of course, this is harder to do with POP3, etc -- but FE/BE can deal with this problem too ;-) Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Edward Sullivan [mailto:esullivan@xxxxxxx] Sent: Tuesday, February 25, 2003 8:11 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FW: WinXP SP1, Outlook 2000, and ISA http://www.ISAserver.org Indeed. Not having it behind the ISA server creates a huge security hole. We use a IIS smtp screener which forwards all email to the smart host, the exchange server. The screener runs GFI mailessentials and mailsecurity. The exchange server runs a seperate AV product, so 4 antivirus engines check all incoming messages and no direct connections ever touch the Exchange server. The screener and the Exchange server both sit behind our firewall, the screener is in the DMZ of course. I can be dense at times, which is why I spell things out for others. I often miss the hint..... -----Original Message----- From: Friese, Casey <cfriese@xxxxxxxxxxxxx> To: [ISAserver.org Discussion List] <isalist@xxxxxxxxxxxxx> Sent: Tue Feb 25 07:57:31 2003 Subject: [isalist] RE: FW: WinXP SP1, Outlook 2000, and ISA http://www.ISAserver.org That's what I'm hinting to him as well Ed... -----Original Message----- From: Edward Sullivan [mailto:esullivan@xxxxxxx] Sent: Tuesday, February 25, 2003 8:50 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FW: WinXP SP1, Outlook 2000, and ISA http://www.ISAserver.org I would strongly recommend you move your exchange server inside to your 10.x network, then use smtp and owa publishing for external connections. This makes your network more secure, and will more than likely solve your connectivity issues. Exchange 2000 uses AD heavily, and seperating it from your main network will complicate things. (assuming you have exchange 2000) -----Original Message----- From: Friese, Casey <cfriese@xxxxxxxxxxxxx> To: [ISAserver.org Discussion List] <isalist@xxxxxxxxxxxxx> Sent: Tue Feb 25 07:41:06 2003 Subject: [isalist] RE: FW: WinXP SP1, Outlook 2000, and ISA http://www.ISAserver.org Is there no local network between the ISA and the Exchange Server? Example..using your numbers, here's how my design is: All my XP SP1 Clients work fine. Intranet (10.0.x.x) | ISA Server (10.0.x.x) South (10.112.x.x)Local DMZ ------ Exchange Server (10.112.x.x) (66.43.x.x) North | Cisco Router (66.43.x.x) | Internet -----Original Message----- From: rbell@xxxxxxxxxx [mailto:rbell@xxxxxxxxxx] Sent: Tuesday, February 25, 2003 8:24 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FW: WinXP SP1, Outlook 2000, and ISA http://www.ISAserver.org okay here goes... working from a LAT setup. I have an internal network and W2K server that is the DHCP/DNS for internal net. All clients are running the ISA firewall client. Out in the DMZ are the web servers and the Exchange server. Intranet (10.0.x.x) DC runs DHCP and DNS servers | ISA server (10.0.x.x) south (66.43.x.x) north | Exchange server (66.43.x.x) also DNS server | Cisco router (66.43.x.x) | Internet On all the other (non-SP1) outlook setups (outlook 2000) I create an exchange account in Outlook and connect without problem. On the SP1 units or units that have had SP1 installed I am denied access. On the systems that I can remove SP1 from all works great as soon as it is off the system. FTP is also denied on these systems, but like exchange some back after SP1 is removed. the real trouble is the units that have SP1 integrated into the WinXP OS installation CD. Rich -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Sunday, February 23, 2003 12:36 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FW: WinXP SP1, Outlook 2000, and ISA http://www.ISAserver.org Hi Richard, You say the Exchange Server is in a DMZ. What kind of DMZ? Are the clients trying to connection from a LAT or non-LAT network? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder -----Original Message----- From: rbell@xxxxxxxxxx [mailto:rbell@xxxxxxxxxx] Sent: Friday, February 21, 2003 9:53 AM To: [ISAserver.org Discussion List] Subject: [isalist] FW: WinXP SP1, Outlook 2000, and ISA http://www.ISAserver.org I have several W2K, and WinXP stations running Outlook with a live connection to an Exchange server in the DMZ. All was fine until I installed WinXP SP1. After installation of SP1 I can not longer connect to the exchange server or even use FTP. I can however surf the web. I am running the ISA firewall client on all stations. This appears to be a WinXP SP1 issue as on the stations that I can remove SP1 from the connections return. However I have new stations that have WinXP with SP1 integrated. Is there a setting that after SP1 needs to be changed in the ISA server that I didn't need before SP1? Richard Bell MIS Director Microfilm Services, Inc. www.msifla.net rbell@xxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rbell@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cfriese@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: esullivan@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cfriese@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: esullivan@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')