RE: FE Vs BE
- From: "Ruba Al Omari" <romari@xxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 13 Jul 2005 23:03:15 +0300
lol :) I should have known that....
r.
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wed 7/13/2005 9:30 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FE Vs BE
http://www.ISAserver.org
Hi Ruba,
IMNSHO = In my not so humble opinion
IOW = In other words
LITFA = Leave it the f*** alone
:-)
HTH,
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Ruba Al Omari [mailto:romari@xxxxxxxxxxxxxxxxx]
Sent: Wednesday, July 13, 2005 1:23 PM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: FE Vs BE
Thanks, helpful as usual.
Except that I don't know what IMNSHO , IOW and LITFA stand for :)
r.
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wed 7/13/2005 4:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FE Vs BE
http://www.ISAserver.org
Hey Jim,
Good point. I forgot about all those "open a port" PIX admins who think
of the DMZ as only a party down net. Guess this is a good reason to
start referring all of them as perimeter networks, which is what ISA
UA(UE?) has been trying to get me to do now for five years :)
Guess I got to hand it to Adina for being right on this one :-)))
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, July 13, 2005 8:31 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: FE Vs BE
>
> http://www.ISAserver.org
>
> Hi Tom,
>
> I didn't mean to suggest that "DMZs is ded", just that the
> "old school"
> use for them has passed on.
> As you point out, they've actually evolved into something
> more than was
> originally intended (thanx in no small part to ISA).
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, July 13, 2005 6:27 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: FE Vs BE
>
> http://www.ISAserver.org
>
> Hey Jim,
>
> Actually, I would put the FE in a "authenticated access" DMZ, since it
> still an Internet facing device. Not a classical "party down
> on my NICs
> anonymously DMZ", but it still allows inbound connections that are
> either auth'd at the ISA firewall first, or at the destination server.
>
> Of course, you would have to remove the SMTP inbound relay
> from the FE,
> since these need to be anonymous connection, so a third
> perimeter would
> be appropriate for an inbound SMTP relay, which allows
> anonymous inbound
> connections.
>
> I'll not ?buy into the whole "deperimeterization" hokey I'm
> hearing until
> they can demonstrate that it works in the non-digital world the
> proponents live in -- and at least until we're hooked up to personal
> "deflector shields", the whole deperimeterization talk is just that --
> enabling speakers to create controversy at conferences.
>
> IMNSHO :)
>
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Wednesday, July 13, 2005 8:20 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: FE Vs BE
> >
> > http://www.ISAserver.org
> >
> > Hi Ruba,
> >
> > The BE/FE deployment was designed to accomplish two things:
> > 1 - allow the Exch admin to create a "security zone" between the
> > Internet and Intranet sides of Exch
> > 2 - allow the Exch admin to "spread the load" for different Exch
> > functions across multiple machines.
> >
> > Since ISA pretty much obviates the need for a DMZ, you
> don't need the
> > FE/BE deployment for security reasons.
> > Unless you can show that the Exch FE/BE combination is overloaded,
> > there's no need to separate them.
> >
> > IOW, if it works, LITFA...
> >
> > -----Original Message-----
> > From: Ruba Al Omari [mailto:romari@xxxxxxxxxxxxxxxxx]
> > Sent: Wednesday, July 13, 2005 12:10 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] FE Vs BE
> >
> > http://www.ISAserver.org
> >
> >
> > When publishing exchange 2003 (OWA and SMTP) through ISA2004 with an
> > SSL, is it better to use FE and BE configuration or is it
> as secure as
> > using ISA2004 with BE directly without having FE?
> >
> >
> >
> > Thanks,
> >
> > r.
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
Other related posts:
