You mean "except from the front-end to the back-end Exchange server," not
"ISA firewall," right? But I got it other than that.
t
----- Original Message -----
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, December 05, 2005 5:36 PM
Subject: [isalist] RE: Ex2k FE in DMZ Segment
http://www.ISAserver.org
No cheating :)
Well, except from the front-end to the back-end ISA firewall, since its only HTTP. In that case, its either open HTTP or IPSec tunneled HTTP. Your choice.
So, its SSL tunnel from external client through the FE ISA firewall to the BE ISA firewall, then SSL bridging from the BE ISA firewall to the FE Exchange Server, and then either clear HTTP or HTTP/IPSec from the FE to the BE. It depends how much you trust your anonymous access DMZ and its physical security (I'm not so worried about network security, since they had to auth first to get there, YMMV).
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Monday, December 05, 2005 7:26 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Ex2k FE in DMZ Segment
http://www.ISAserver.org
SSL everywhere then? No cheating?
t
----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, December 05, 2005 5:16 PM
Subject: [isalist] RE: Ex2k FE in DMZ Segment
http://www.ISAserver.org
OK, good :)
I use SSL Server Publishing Rules since there's no reason to go through the HTTP filter overhead on both devices. So, SSL tunneling through the front-end ISA firewall and then a Web Publishing Rule on the back-end ISA firewall.
S'good?
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Monday, December 05, 2005 7:09 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Ex2k FE in DMZ Segment
>
> http://www.ISAserver.org
>
> Knock, knock.
>
> -----
> "And yet, even if one person finds his way... that means
> there is a Way. Even if I personally fail to reach it."
>
> Mr. Nobusuke Tagomi
> Top Place, Ranking Imperial Trade Mission
> Pacific States of America
>
> ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Monday, December 05, 2005 4:19 PM
> Subject: [isalist] RE: Ex2k FE in DMZ Segment
>
>
> http://www.ISAserver.org
>
> OK, let me try to figure out what the question is here.
>
> What you want to know is what to do on the FE ISA firewall
to publish
> the FE Exchange on the BE ISA firewall's DMZ. Right?
>
> Knock twice if yes, once if no.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Monday, December 05, 2005 4:43 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Ex2k FE in DMZ Segment
> >
> > http://www.ISAserver.org
> >
> > OK Doc- help me out here... How about give me the low down on
> > exactly what
> > you are thinking when it comes to this topology:
> >
> > [Internal Network]
> > |
> > |
> > [Back End ISA] ---- [Ex FE DMZ]
> > |
> > [DMZ]
> > |
> > |
> > [Front End ISA]
> > |
> > |
> > [Internet]
> >
> >
> > I've got my rules just fine from the [Ex FE DMZ] to the
> > Internal- OWA works
> > fine, etc.
> >
> > How about spill the beans on the HTTPS tunneling/bridging
> > you've got going
> > on. Where will I use what? I've got the [Ex FE DMZ] box
> > requiring HTTPS
> > and the owa.domain.com cert on that guy. Are you talking
> > just server pub
> > HTTPS from [Front End ISA] to [Back End ISA] and bridging
> > from [Back End
> > ISA] to [Ex FE DMZ]? Can you take a moment and tell me what
> > you plan to do
> > and where?
> >
> > t
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
