RE: FE Vs BE

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 13 Jul 2005 08:26:59 -0500

Hey Jim,

Actually, I would put the FE in a "authenticated access" DMZ, since it
still an Internet facing device. Not a classical "party down on my NICs
anonymously DMZ", but it still allows inbound connections that are
either auth'd at the ISA firewall first, or at the destination server.

Of course, you would have to remove the SMTP inbound relay from the FE,
since these need to be anonymous connection, so a third perimeter would
be appropriate for an inbound SMTP relay, which allows anonymous inbound
connections.

I'll not buy into the whole "deperimeterization" hokey I'm hearing until
they can demonstrate that it works in the non-digital world the
proponents live in -- and at least until we're hooked up to personal
"deflector shields", the whole deperimeterization talk is just that --
enabling speakers to create controversy at conferences. 

IMNSHO :)

Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Wednesday, July 13, 2005 8:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: FE Vs BE
> 
> http://www.ISAserver.org
> 
> Hi Ruba,
> 
> The BE/FE deployment was designed to accomplish two things:
> 1 - allow the Exch admin to create a "security zone" between the
> Internet and Intranet sides of Exch
> 2 - allow the Exch admin to "spread the load" for different Exch
> functions across multiple machines.
> 
> Since ISA pretty much obviates the need for a DMZ, you don't need the
> FE/BE deployment for security reasons.
> Unless you can show that the Exch FE/BE combination is overloaded,
> there's no need to separate them.
> 
> IOW, if it works, LITFA...
> 
> -----Original Message-----
> From: Ruba Al Omari [mailto:romari@xxxxxxxxxxxxxxxxx] 
> Sent: Wednesday, July 13, 2005 12:10 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] FE Vs BE
> 
> http://www.ISAserver.org
> 
> 
> When publishing exchange 2003 (OWA and SMTP) through ISA2004 with an
> SSL, is it better to use FE and BE configuration or is it as secure as
> using ISA2004 with BE directly without having FE?
> 
>  
> 
> Thanks,
> 
> r.
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
>

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 07-2005