RE: Ex2k FE in DMZ Segment
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 5 Dec 2005 19:36:45 -0600
No cheating :)
Well, except from the front-end to the back-end ISA firewall, since its
only HTTP. In that case, its either open HTTP or IPSec tunneled HTTP.
Your choice.
So, its SSL tunnel from external client through the FE ISA firewall to
the BE ISA firewall, then SSL bridging from the BE ISA firewall to the
FE Exchange Server, and then either clear HTTP or HTTP/IPSec from the FE
to the BE. It depends how much you trust your anonymous access DMZ and
its physical security (I'm not so worried about network security, since
they had to auth first to get there, YMMV).
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Monday, December 05, 2005 7:26 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Ex2k FE in DMZ Segment
>
> http://www.ISAserver.org
>
> SSL everywhere then? No cheating?
>
> t
>
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Monday, December 05, 2005 5:16 PM
> Subject: [isalist] RE: Ex2k FE in DMZ Segment
>
>
> http://www.ISAserver.org
>
> OK, good :)
>
> I use SSL Server Publishing Rules since there's no reason to
> go through
> the HTTP filter overhead on both devices. So, SSL tunneling
> through the
> front-end ISA firewall and then a Web Publishing Rule on the back-end
> ISA firewall.
>
> S'good?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Monday, December 05, 2005 7:09 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Ex2k FE in DMZ Segment
> >
> > http://www.ISAserver.org
> >
> > Knock, knock.
> >
> > -----
> > "And yet, even if one person finds his way... that means
> > there is a Way. Even if I personally fail to reach it."
> >
> > Mr. Nobusuke Tagomi
> > Top Place, Ranking Imperial Trade Mission
> > Pacific States of America
> >
> > ----- Original Message -----
> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Monday, December 05, 2005 4:19 PM
> > Subject: [isalist] RE: Ex2k FE in DMZ Segment
> >
> >
> > http://www.ISAserver.org
> >
> > OK, let me try to figure out what the question is here.
> >
> > What you want to know is what to do on the FE ISA firewall
> to publish
> > the FE Exchange on the BE ISA firewall's DMZ. Right?
> >
> > Knock twice if yes, once if no.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > > Sent: Monday, December 05, 2005 4:43 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Ex2k FE in DMZ Segment
> > >
> > > http://www.ISAserver.org
> > >
> > > OK Doc- help me out here... How about give me the low down on
> > > exactly what
> > > you are thinking when it comes to this topology:
> > >
> > > [Internal Network]
> > > |
> > > |
> > > [Back End ISA] ---- [Ex FE DMZ]
> > > |
> > > [DMZ]
> > > |
> > > |
> > > [Front End ISA]
> > > |
> > > |
> > > [Internet]
> > >
> > >
> > > I've got my rules just fine from the [Ex FE DMZ] to the
> > > Internal- OWA works
> > > fine, etc.
> > >
> > > How about spill the beans on the HTTPS tunneling/bridging
> > > you've got going
> > > on. Where will I use what? I've got the [Ex FE DMZ] box
> > > requiring HTTPS
> > > and the owa.domain.com cert on that guy. Are you talking
> > > just server pub
> > > HTTPS from [Front End ISA] to [Back End ISA] and bridging
> > > from [Back End
> > > ISA] to [Ex FE DMZ]? Can you take a moment and tell me what
> > > you plan to do
> > > and where?
> > >
> > > t
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as:
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
