RE: Exchange front-end and back-end configuration thoughts...DMZ

• From: "JosephK" <josephk@xxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 16 Jun 2005 00:38:05 -0700

Hi Marvin,

In my opinion the best thing for a back to back configuration is to
leave your front end ISA box as part of the work group.  

ISA_FE >> ISA_BE (this can be part of the domain)

Thank you,
Joseph

-----Original Message-----
From: MarvinC [mailto:marvinc@xxxxxxxxx] 
Sent: Wednesday, June 15, 2005 8:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Exchange front-end and back-end configuration
thoughts...DMZ

http://www.ISAserver.org

Yep and I've been trying to follow the Front-End Back-End Exchange
Server Trihomed doc but something aint working with the front-end
server configuration. I can't get this server added to the domain or
to speak to active directory. In trying to add it to my domain I get
the following error:

The query was for the SRV record for_ldap._tcp.dc.msdcs.corp

Another part of the error mentions: 

error code 0x00002751 WSAEHOSTUNREACH

Totally confused...


On 6/15/05, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> http://www.ISAserver.org
> 
> Hi Marvin,
> That was specific for ISA Server 2000. ISA Server 2004 is like Check
> Point, and the firewall policy and networking model is *completely*
> different.
> 
> 
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
> 
> -----Original Message-----
> From: MarvinC [mailto:marvinc@xxxxxxxxx]
> Sent: Wednesday, June 15, 2005 8:04 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Exchange front-end and back-end configuration
> thoughts...DMZ
> 
> http://www.ISAserver.org
> 
> Sorry Tom but I was referring to an article you wrote on creating a
> poor man's DMZ found here:
> 
>
http://www.windowsecurity.com/tutorials/Creating_a_Poor_Mans_DMZ_Part_1_
> _Using_TCPIP_Security.html
> 
> In it you state:
> 
> This concept of a separate and distinct security zone defines the DMZ.
> People run into problems with this because they want to do things
> like:
> 
> Use an MMC console to manage servers on the DMZ (allow RPC)
> Make DMZ servers members of the internal network domain (ouch!)
> Allow Web servers on the DMZ access to database servers on the
internal
> network
> Terminate a VPN connection on a device upstream from the ISA Server
> and then access the internal network from that host
> Place an Outlook Web Access Front End server in the DMZ and a Back End
> server on the internal network
> 
> All of these designs violate the integrity of the DMZ. DMZ hosts are
> "sacrificial lambs" and you should expect them to be compromised. It
> makes no sense to allow communications between DMZ hosts and the
> internal network if you expect these hosts to be compromised (in
> general, there may be exceptions).
> 
> I don't think there's anything wrong with it as we have a front-end
> back-end setup at work. I'm simply trying to do the same thing on my
> own network and run into problems with installing Exchange on the
> front-end server. That problem is that I can't get the front-end
> server to see the domain controller from that 172.16.0.x IP subnet.
> I'm not trying to degrade anything written I'm simply searching for
> ways to help me understand and diagnose my problem.
> Any input you care to share is appreciated.
> 
> 
> On 6/15/05, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> > http://www.ISAserver.org
> >
> > Hi Marvin,
> >
> > Are you referring to a back to back ISA firewall config? It's a
GREAT
> > idea! I'd like to know which Cisco rep wrote the article you read?
:-)
> >
> > Thanks!
> > Tom
> >
> > -----Original Message-----
> > From: MarvinC [mailto:marvinc@xxxxxxxxx]
> > Sent: Wednesday, June 15, 2005 4:27 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Exchange front-end and back-end configuration
> > thoughts...DMZ
> >
> > http://www.ISAserver.org
> >
> > I like the honeypot idea but have never set one up. Not sure about
the
> > FE BE isa setup because I don't have the boxes and I do want the
> > message screener.
> >
> > On 6/15/05, JosephK <josephk@xxxxxxxxx> wrote:
> > > http://www.ISAserver.org
> > >
> > > Hi Marvin,
> > > My configuration for exchange is like this.
> > > FE_ISA >> HONEYPOT >> BE_ISA >> INTERNL >> Exchange.
> > >
> > > The front end publishes the Back end external nic card as the
> exchange
> > > server.  My back end ISA box publishes the INTERNAL nic card as
the
> > SMTP
> > > since I'm using the message screener.  I'm also thinking about
> adding
> > > the message screener to my front end ISA. to make sure things
don't
> > get
> > > into my honeypot as well.
> > >
> > >
> > > -----Original Message-----
> > > From: MarvinC [mailto:marvinc@xxxxxxxxx]
> > > Sent: Wednesday, June 15, 2005 1:20 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Exchange front-end and back-end configuration
> > > thoughts...DMZ
> > >
> > > http://www.ISAserver.org
> > >
> > > I'm wondering if anyone care to share their thoughts on
configuring
> an
> > > Exchange 2003 front-end back-end setup. I've read a few articles,
> well
> > > one, that states this is a bad idea and I'm wondering if there are
> > > other ways to do this using ISA2K4?
> > > Any responses are appreciated.
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > > josephk@xxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > marvinc@xxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> marvinc@xxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
marvinc@xxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ
• » RE: Exchange front-end and back-end configuration thoughts...DMZ

1. Home
2. isalist
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---