RE: 3homed ISA Securing Mail

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 12 Apr 2005 11:14:55 -0700

Absopositolutely!

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx] 
Sent: Tuesday, April 12, 2005 11:01
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 3homed ISA Securing Mail

http://www.ISAserver.org

At 14:42 12/04/2005, you wrote:
>http://www.ISAserver.org
>
>FE/BE architecture does not dictate DMZ placement.
>The other advantage for FE/BE is process distribution.

OK

>Place your FE behind ISA and enjoy the dual benefits.

You mean put exchange server on the private LAN and publish its services
on 
ISA public interface (pop3,smtp,OWA,Imap, HTTPs/RPC)?

Thanks,

Daniel


>-------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
>-------------------------------------------------------
>
>
>-----Original Message-----
>From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx]
>Sent: Tuesday, April 12, 2005 10:16
>To: [ISAserver.org Discussion List]
>Subject: [isalist] RE: 3homed ISA Securing Mail
>
>http://www.ISAserver.org
>
>Hi Jim,
>
>At 21:09 11/04/2005, you wrote:
> >http://www.ISAserver.org
> >
> >The issue is trading apparent security for additional management.
> >It is *possible* to have domain traffic cross your ISA 2004 firewall,
> >but the important question is "why do you want to".
>
>I really would not, but I can't leave my mailboxes on the DMZ and I
need
>to
>have
>a commom user database for authentication (AD on the LAN). I can
accesss
>it
>via Radius or LDAP/kerberos.
>
>A general  solution for mail systems (to don't leave mailboxes on the
>DMZ)
>is FE/BE architectures ok?
>
> >If your argument for planting the Exch FE in a DMZ is "what if it's
> >compromised (yakkitty-yak)?", then you've gained nothing because Exch
> >requires that you have to create policies that allow this machine to
> >access your AD anyway.
>
>Ok I agree exchange server has a complicated communication with the DC!
>
>but what to do? using other mail systems like linux/postfix or other,
>they
>negotiate FE/BE intercomunications better?
>
>Publish the mail server and planting it on the LAN no condition, ok!
>
>What's is your suggestion?
>
>
> >Better that you simply place ISA between the Exch FW and the BOBOI in
> >the first place.
>
>If I understand (exch FW? -->means exchange firewall?,  BOBOI?
--->means
>
>internal LAN?)
>You suggest put exchange on DMZ, leave mailboxes on it and duplicate
>user/password database
>form AD, i.e, every new user add in external and external AD?
>
>
>Thanks for you feedback Jim,
>
>Daniel.
>
>
> >-------------------------------------------------------
> >    Jim Harrison
> >    MCP(NT4, W2K), A+, Network+, PCG
> >    http://isaserver.org/Jim_Harrison/
> >    http://isatools.org
> >    Read the help / books / articles!
> >-------------------------------------------------------
> >
> >-----Original Message-----
> >From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx]
> >Sent: Monday, April 11, 2005 16:40
> >To: [ISAserver.org Discussion List]
> >Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ
> >
> >http://www.ISAserver.org
> >
> >
> >I read Tom article at isaserver.org about exch2003/ISA2004
intradomain
> >communication publishing.
> >I Thinking about upgrade my isa server to 2004.
> >As I uderstand It seems a good design if you have back-to-back
> >firewalls, and you didn't have 2 machines an 2 Exch2003 licences for
> >exchange BE/FE.
> >
> >I agree is not the better design (exch03 at DMZ an member of internal
> >domain), Jim Harrison points that its bad solution, and TOM too make
> >apoints about it.
> >
> >What's a good solution, FE/BE exchange only?
> >
> >If I have only one Exchange/BE on the LAN, member server, member of
the
> >internal domain, its possible use for FE (win2003 smtp service) or a
> >linux Box?
> >
> >thanks,
> >
> >Daniel
> >
> >
> >
> >
> >===========================================
> >
> >-----Original Message-----
> >
> >My Bad! I thought it was 2004 :(
> >
> >Tom
> >www.isaserver.org/shinder
> >Tom and Deb Shinder's Configuring ISA Server 2004
> >http://tinyurl.com/3xqb7
> >MVP -- ISA Firewalls
> >
> >http://www.ISAserver.org
> >
> >-----Original Message-----
> >Hi Daniel,
> >
> >
> >Check the chapter in the ISA/Exchange Kit on how to allow the
> >intradomain communications between the DMZ and the Default Internal
> >Network. Its also in the book and might be on the ISAserver.org Web
>site
> >as well.
> >
> >HTH,
> >
> >-----Original Message-----
> >From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> >Sent: Saturday, April 09, 2005 10:23 AM
> >To: [ISAserver.org Discussion List]
> >Subject: [isalist] RE: 3homed ISA-2000 + Exch-2003 in DMZ, wich port
I
> >need to publish that the exchsrv can user the internal LAN AD/DC
> >
> >
> >http://www.ISAserver.org
> >
> >
> >Bad Daniel:
> >http://support.microsoft.com/?id=329807
> >
> >
> >-------------------------------------------------------
> >    Jim Harrison
> >    MCP(NT4, W2K), A+, Network+, PCG
> >    http://isaserver.org/Jim_Harrison/
> >    http://isatools.org
> >    Read the help / books / articles!
> >-------------------------------------------------------
> >
> >-----Original Message-----
> >From: Daniel [mailto:daniel@xxxxxxxxxxxxxxxx]
> >Sent: Saturday, April 09, 2005 00:32
> >To: [ISAserver.org Discussion List]
> >Subject: [isalist] 3homed ISA-2000 + Exch-2003 in DMZ, wich port I
need
> >to publish that the exchsrv can user the internal LAN AD/DC
> >
> >
> >http://www.ISAserver.org
> >
> >
> >Publish Exch2003 services (pop3,smtp,imap,owa) in DMZ, its OK for me.
> >
> >
> >Which ports I need to publish that the AD/Domain Controller
> >on the privante LAN can be accessed by the exchange server from
> >DMZ, and use it de AD as users database (rpc,kerberos, ...), i.e,
> >the Exch server will join as member of internat AD domain.
> >
> >
> >
> >Thanks,
> >
> >
> >Daniel.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » RE: 3homed ISA Securing Mail
• » RE: 3homed ISA Securing Mail
• » RE: 3homed ISA Securing Mail
• » RE: 3homed ISA Securing Mail

1. Home
2. isalist
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---