Absopositolutely! ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] Sent: Tuesday, April 12, 2005 11:01 To: [ISAserver.org Discussion List] Subject: [isalist] RE: 3homed ISA Securing Mail http://www.ISAserver.org At 14:42 12/04/2005, you wrote: >http://www.ISAserver.org > >FE/BE architecture does not dictate DMZ placement. >The other advantage for FE/BE is process distribution. OK >Place your FE behind ISA and enjoy the dual benefits. You mean put exchange server on the private LAN and publish its services on ISA public interface (pop3,smtp,OWA,Imap, HTTPs/RPC)? Thanks, Daniel >------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! >------------------------------------------------------- > > >-----Original Message----- >From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] >Sent: Tuesday, April 12, 2005 10:16 >To: [ISAserver.org Discussion List] >Subject: [isalist] RE: 3homed ISA Securing Mail > >http://www.ISAserver.org > >Hi Jim, > >At 21:09 11/04/2005, you wrote: > >http://www.ISAserver.org > > > >The issue is trading apparent security for additional management. > >It is *possible* to have domain traffic cross your ISA 2004 firewall, > >but the important question is "why do you want to". > >I really would not, but I can't leave my mailboxes on the DMZ and I need >to >have >a commom user database for authentication (AD on the LAN). I can accesss >it >via Radius or LDAP/kerberos. > >A general solution for mail systems (to don't leave mailboxes on the >DMZ) >is FE/BE architectures ok? > > >If your argument for planting the Exch FE in a DMZ is "what if it's > >compromised (yakkitty-yak)?", then you've gained nothing because Exch > >requires that you have to create policies that allow this machine to > >access your AD anyway. > >Ok I agree exchange server has a complicated communication with the DC! > >but what to do? using other mail systems like linux/postfix or other, >they >negotiate FE/BE intercomunications better? > >Publish the mail server and planting it on the LAN no condition, ok! > >What's is your suggestion? > > > >Better that you simply place ISA between the Exch FW and the BOBOI in > >the first place. > >If I understand (exch FW? -->means exchange firewall?, BOBOI? --->means > >internal LAN?) >You suggest put exchange on DMZ, leave mailboxes on it and duplicate >user/password database >form AD, i.e, every new user add in external and external AD? > > >Thanks for you feedback Jim, > >Daniel. > > > >------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > >------------------------------------------------------- > > > >-----Original Message----- > >From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] > >Sent: Monday, April 11, 2005 16:40 > >To: [ISAserver.org Discussion List] > >Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ > > > >http://www.ISAserver.org > > > > > >I read Tom article at isaserver.org about exch2003/ISA2004 intradomain > >communication publishing. > >I Thinking about upgrade my isa server to 2004. > >As I uderstand It seems a good design if you have back-to-back > >firewalls, and you didn't have 2 machines an 2 Exch2003 licences for > >exchange BE/FE. > > > >I agree is not the better design (exch03 at DMZ an member of internal > >domain), Jim Harrison points that its bad solution, and TOM too make > >apoints about it. > > > >What's a good solution, FE/BE exchange only? > > > >If I have only one Exchange/BE on the LAN, member server, member of the > >internal domain, its possible use for FE (win2003 smtp service) or a > >linux Box? > > > >thanks, > > > >Daniel > > > > > > > > > >=========================================== > > > >-----Original Message----- > > > >My Bad! I thought it was 2004 :( > > > >Tom > >www.isaserver.org/shinder > >Tom and Deb Shinder's Configuring ISA Server 2004 > >http://tinyurl.com/3xqb7 > >MVP -- ISA Firewalls > > > >http://www.ISAserver.org > > > >-----Original Message----- > >Hi Daniel, > > > > > >Check the chapter in the ISA/Exchange Kit on how to allow the > >intradomain communications between the DMZ and the Default Internal > >Network. Its also in the book and might be on the ISAserver.org Web >site > >as well. > > > >HTH, > > > >-----Original Message----- > >From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > >Sent: Saturday, April 09, 2005 10:23 AM > >To: [ISAserver.org Discussion List] > >Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ, wich port I > >need to publish that the exchsrv can user the internal LAN AD/DC > > > > > >http://www.ISAserver.org > > > > > >Bad Daniel: > >http://support.microsoft.com/?id=329807 > > > > > >------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > >------------------------------------------------------- > > > >-----Original Message----- > >From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] > >Sent: Saturday, April 09, 2005 00:32 > >To: [ISAserver.org Discussion List] > >Subject: [isalist] 3homed ISA-2000 + Exch-2003 in DMZ, wich port I need > >to publish that the exchsrv can user the internal LAN AD/DC > > > > > >http://www.ISAserver.org > > > > > >Publish Exch2003 services (pop3,smtp,imap,owa) in DMZ, its OK for me. > > > > > >Which ports I need to publish that the AD/Domain Controller > >on the privante LAN can be accessed by the exchange server from > >DMZ, and use it de AD as users database (rpc,kerberos, ...), i.e, > >the Exch server will join as member of internat AD domain. > > > > > > > >Thanks, > > > > > >Daniel. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.