lol :) I should have known that.... r. ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wed 7/13/2005 9:30 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FE Vs BE http://www.ISAserver.org Hi Ruba, IMNSHO = In my not so humble opinion IOW = In other words LITFA = Leave it the f*** alone :-) HTH, Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Ruba Al Omari [mailto:romari@xxxxxxxxxxxxxxxxx] Sent: Wednesday, July 13, 2005 1:23 PM To: [ISAserver.org Discussion List] Subject: RE: [isalist] RE: FE Vs BE Thanks, helpful as usual. Except that I don't know what IMNSHO , IOW and LITFA stand for :) r. ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wed 7/13/2005 4:37 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FE Vs BE http://www.ISAserver.org Hey Jim, Good point. I forgot about all those "open a port" PIX admins who think of the DMZ as only a party down net. Guess this is a good reason to start referring all of them as perimeter networks, which is what ISA UA(UE?) has been trying to get me to do now for five years :) Guess I got to hand it to Adina for being right on this one :-))) Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Wednesday, July 13, 2005 8:31 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: FE Vs BE > > http://www.ISAserver.org > > Hi Tom, > > I didn't mean to suggest that "DMZs is ded", just that the > "old school" > use for them has passed on. > As you point out, they've actually evolved into something > more than was > originally intended (thanx in no small part to ISA). > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, July 13, 2005 6:27 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: FE Vs BE > > http://www.ISAserver.org > > Hey Jim, > > Actually, I would put the FE in a "authenticated access" DMZ, since it > still an Internet facing device. Not a classical "party down > on my NICs > anonymously DMZ", but it still allows inbound connections that are > either auth'd at the ISA firewall first, or at the destination server. > > Of course, you would have to remove the SMTP inbound relay > from the FE, > since these need to be anonymous connection, so a third > perimeter would > be appropriate for an inbound SMTP relay, which allows > anonymous inbound > connections. > > I'll not ?buy into the whole "deperimeterization" hokey I'm > hearing until > they can demonstrate that it works in the non-digital world the > proponents live in -- and at least until we're hooked up to personal > "deflector shields", the whole deperimeterization talk is just that -- > enabling speakers to create controversy at conferences. > > IMNSHO :) > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: Wednesday, July 13, 2005 8:20 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: FE Vs BE > > > > http://www.ISAserver.org > > > > Hi Ruba, > > > > The BE/FE deployment was designed to accomplish two things: > > 1 - allow the Exch admin to create a "security zone" between the > > Internet and Intranet sides of Exch > > 2 - allow the Exch admin to "spread the load" for different Exch > > functions across multiple machines. > > > > Since ISA pretty much obviates the need for a DMZ, you > don't need the > > FE/BE deployment for security reasons. > > Unless you can show that the Exch FE/BE combination is overloaded, > > there's no need to separate them. > > > > IOW, if it works, LITFA... > > > > -----Original Message----- > > From: Ruba Al Omari [mailto:romari@xxxxxxxxxxxxxxxxx] > > Sent: Wednesday, July 13, 2005 12:10 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] FE Vs BE > > > > http://www.ISAserver.org > > > > > > When publishing exchange 2003 (OWA and SMTP) through ISA2004 with an > > SSL, is it better to use FE and BE configuration or is it > as secure as > > using ISA2004 with BE directly without having FE? > > > > > > > > Thanks, > > > > r. > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------