Hi Marvin, In my opinion the best thing for a back to back configuration is to leave your front end ISA box as part of the work group. ISA_FE >> ISA_BE (this can be part of the domain) Thank you, Joseph -----Original Message----- From: MarvinC [mailto:marvinc@xxxxxxxxx] Sent: Wednesday, June 15, 2005 8:49 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Exchange front-end and back-end configuration thoughts...DMZ http://www.ISAserver.org Yep and I've been trying to follow the Front-End Back-End Exchange Server Trihomed doc but something aint working with the front-end server configuration. I can't get this server added to the domain or to speak to active directory. In trying to add it to my domain I get the following error: The query was for the SRV record for_ldap._tcp.dc.msdcs.corp Another part of the error mentions: error code 0x00002751 WSAEHOSTUNREACH Totally confused... On 6/15/05, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > http://www.ISAserver.org > > Hi Marvin, > That was specific for ISA Server 2000. ISA Server 2004 is like Check > Point, and the firewall policy and networking model is *completely* > different. > > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > -----Original Message----- > From: MarvinC [mailto:marvinc@xxxxxxxxx] > Sent: Wednesday, June 15, 2005 8:04 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Exchange front-end and back-end configuration > thoughts...DMZ > > http://www.ISAserver.org > > Sorry Tom but I was referring to an article you wrote on creating a > poor man's DMZ found here: > > http://www.windowsecurity.com/tutorials/Creating_a_Poor_Mans_DMZ_Part_1_ > _Using_TCPIP_Security.html > > In it you state: > > This concept of a separate and distinct security zone defines the DMZ. > People run into problems with this because they want to do things > like: > > Use an MMC console to manage servers on the DMZ (allow RPC) > Make DMZ servers members of the internal network domain (ouch!) > Allow Web servers on the DMZ access to database servers on the internal > network > Terminate a VPN connection on a device upstream from the ISA Server > and then access the internal network from that host > Place an Outlook Web Access Front End server in the DMZ and a Back End > server on the internal network > > All of these designs violate the integrity of the DMZ. DMZ hosts are > "sacrificial lambs" and you should expect them to be compromised. It > makes no sense to allow communications between DMZ hosts and the > internal network if you expect these hosts to be compromised (in > general, there may be exceptions). > > I don't think there's anything wrong with it as we have a front-end > back-end setup at work. I'm simply trying to do the same thing on my > own network and run into problems with installing Exchange on the > front-end server. That problem is that I can't get the front-end > server to see the domain controller from that 172.16.0.x IP subnet. > I'm not trying to degrade anything written I'm simply searching for > ways to help me understand and diagnose my problem. > Any input you care to share is appreciated. > > > On 6/15/05, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > > http://www.ISAserver.org > > > > Hi Marvin, > > > > Are you referring to a back to back ISA firewall config? It's a GREAT > > idea! I'd like to know which Cisco rep wrote the article you read? :-) > > > > Thanks! > > Tom > > > > -----Original Message----- > > From: MarvinC [mailto:marvinc@xxxxxxxxx] > > Sent: Wednesday, June 15, 2005 4:27 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Exchange front-end and back-end configuration > > thoughts...DMZ > > > > http://www.ISAserver.org > > > > I like the honeypot idea but have never set one up. Not sure about the > > FE BE isa setup because I don't have the boxes and I do want the > > message screener. > > > > On 6/15/05, JosephK <josephk@xxxxxxxxx> wrote: > > > http://www.ISAserver.org > > > > > > Hi Marvin, > > > My configuration for exchange is like this. > > > FE_ISA >> HONEYPOT >> BE_ISA >> INTERNL >> Exchange. > > > > > > The front end publishes the Back end external nic card as the > exchange > > > server. My back end ISA box publishes the INTERNAL nic card as the > > SMTP > > > since I'm using the message screener. I'm also thinking about > adding > > > the message screener to my front end ISA. to make sure things don't > > get > > > into my honeypot as well. > > > > > > > > > -----Original Message----- > > > From: MarvinC [mailto:marvinc@xxxxxxxxx] > > > Sent: Wednesday, June 15, 2005 1:20 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Exchange front-end and back-end configuration > > > thoughts...DMZ > > > > > > http://www.ISAserver.org > > > > > > I'm wondering if anyone care to share their thoughts on configuring > an > > > Exchange 2003 front-end back-end setup. I've read a few articles, > well > > > one, that states this is a bad idea and I'm wondering if there are > > > other ways to do this using ISA2K4? > > > Any responses are appreciated. > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > World of Windows Networking: http://www.windowsnetworking.com > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List > as: > > > josephk@xxxxxxxxx > > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > World of Windows Networking: http://www.windowsnetworking.com > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List > as: > > marvinc@xxxxxxxxx > > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: http://www.windowsnetworking.com > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: http://www.windowsnetworking.com > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > marvinc@xxxxxxxxx > > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: marvinc@xxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: josephk@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx