Hey folks, Note that the FE/BE server config is not specifically noted to be a security solution. Although they mention you can put the FE in front of the firewall, the advantage they explicate is that it prevents DoS'ing the BE. You would realize the same advantage if both the FE and BE are behind the ISA Server. CONCLUSION: There is no reason to put the FE in front of the ISA Server. You decide: ========================================== ========================================= Using a front-end and back-end deployment has the following advantages: * Single namespace The primary advantage of a front-end and back-end server architecture is the ability to expose a single, consistent namespace. You can define a single namespace for users to access their mailboxes (for example, http://mail for Outlook Web Access). Without a front-end server, each user must know the name of the server that stores their mailbox. This complicates administration and compromises flexibility, because every time your organization grows or changes and you move some or all mailboxes to another server, you must inform the users. With a single namespace, users can use the same URL or POP and IMAP client configuration, even if you add or remove servers or move mailboxes from server to server. In addition, creating a single namespace ensures that Outlook Web Access, POP, or IMAP access remains scalable as your organization grows. * Ability to balance processing tasks between servers You can configure servers running Exchange 2000 to support Secure Sockets Layer (SSL) traffic between the client and the server to protect the traffic from third-party interception. However, encrypting and decrypting message traffic uses processor time. When SSL encryption is in use, front-end and back-end server architecture provides an advantage because the front-end servers can handle all encryption and decryption processing. In addition, you can use an SSL accelerator to further mitigate the impact encryption and decryption has on the server. An SSL accelerator improves performance by removing processing tasks from back-end servers, while still allowing data to be encrypted between the client and the server running Exchange. * Firewalls You can position the front-end server as the single point of access on or behind an Internet firewall that is configured to allow only traffic to the front-end from the Internet. Because the front-end server has no user information stored on it, it provides an additional layer of security for the organization. In addition, you can configure the front-end server to authenticate requests before proxying them, protecting the back-end servers from denial-of-service attacks. * Increased IMAP access to public folders The IMAP protocol allows a server to refer a client to another server. Exchange 2000 supports this referral functionality in cases where a public folder store on a particular server does not contain the content requested and the client needs to be referred to another server. However, this requires a client that supports IMAP referrals, and most clients do not support referrals. (The University of Washington Pine client and toolkit is one example of a client that supports referrals.) When a non referral-enabled IMAP client connects through a front-end server, the client has access to the entire public folder hierarchy. When a front-end server proxies a command to a back-end server, it automatically handles any referral response that is passed back when attempting to access a folder that is not available on the back-end server. This makes the referral transparent to the client. For more information about nonreferral-enabled IMAP clients, see Request for Comments (RFC) 2221 and RFC 2193. Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp>