RE: Exchange front-end and back-end configuration thoughts...DMZ

  • From: MarvinC <marvinc@xxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 15 Jun 2005 21:03:51 -0400

Sorry Tom but I was referring to an article you wrote on creating a
poor man's DMZ found here:

http://www.windowsecurity.com/tutorials/Creating_a_Poor_Mans_DMZ_Part_1__Using_TCPIP_Security.html

In it you state: 

This concept of a separate and distinct security zone defines the DMZ.
People run into problems with this because they want to do things
like:

Use an MMC console to manage servers on the DMZ (allow RPC) 
Make DMZ servers members of the internal network domain (ouch!)
Allow Web servers on the DMZ access to database servers on the internal network 
Terminate a VPN connection on a device upstream from the ISA Server
and then access the internal network from that host
Place an Outlook Web Access Front End server in the DMZ and a Back End
server on the internal network

All of these designs violate the integrity of the DMZ. DMZ hosts are
"sacrificial lambs" and you should expect them to be compromised. It
makes no sense to allow communications between DMZ hosts and the
internal network if you expect these hosts to be compromised (in
general, there may be exceptions).

I don't think there's anything wrong with it as we have a front-end
back-end setup at work. I'm simply trying to do the same thing on my
own network and run into problems with installing Exchange on the
front-end server. That problem is that I can't get the front-end
server to see the domain controller from that 172.16.0.x IP subnet.
I'm not trying to degrade anything written I'm simply searching for
ways to help me understand and diagnose my problem.
Any input you care to share is appreciated.


On 6/15/05, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> http://www.ISAserver.org
> 
> Hi Marvin,
> 
> Are you referring to a back to back ISA firewall config? It's a GREAT
> idea! I'd like to know which Cisco rep wrote the article you read? :-)
> 
> Thanks!
> Tom
> 
> -----Original Message-----
> From: MarvinC [mailto:marvinc@xxxxxxxxx]
> Sent: Wednesday, June 15, 2005 4:27 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Exchange front-end and back-end configuration
> thoughts...DMZ
> 
> http://www.ISAserver.org
> 
> I like the honeypot idea but have never set one up. Not sure about the
> FE BE isa setup because I don't have the boxes and I do want the
> message screener.
> 
> On 6/15/05, JosephK <josephk@xxxxxxxxx> wrote:
> > http://www.ISAserver.org
> >
> > Hi Marvin,
> > My configuration for exchange is like this.
> > FE_ISA >> HONEYPOT >> BE_ISA >> INTERNL >> Exchange.
> >
> > The front end publishes the Back end external nic card as the exchange
> > server.  My back end ISA box publishes the INTERNAL nic card as the
> SMTP
> > since I'm using the message screener.  I'm also thinking about adding
> > the message screener to my front end ISA. to make sure things don't
> get
> > into my honeypot as well.
> >
> >
> > -----Original Message-----
> > From: MarvinC [mailto:marvinc@xxxxxxxxx]
> > Sent: Wednesday, June 15, 2005 1:20 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Exchange front-end and back-end configuration
> > thoughts...DMZ
> >
> > http://www.ISAserver.org
> >
> > I'm wondering if anyone care to share their thoughts on configuring an
> > Exchange 2003 front-end back-end setup. I've read a few articles, well
> > one, that states this is a bad idea and I'm wondering if there are
> > other ways to do this using ISA2K4?
> > Any responses are appreciated.
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > josephk@xxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> marvinc@xxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as: 
> marvinc@xxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>


Other related posts: