Hi Howard, There's no reason why you can't do it this way. You'll have two DMZ segments, an "external" DMZ and an "internal" DMZ. If all three of these machines were ISA Servers, it would be very easy to publish internal network Exchange RPC, SMTP, NNTP, OWA, etc. But I don't believe Checkpoint has the Application layer intelligence to handle the task without making swiss cheeze out of the checkbox boxes. Another reason to put the ISA Sever is on the LAN edge is that you can leverage user/group based outbound and inbound access control. If you open up the VPN ports and protocols on the two Checkpoint boxes in front of the ISA Server on the LAN's edge, you can have unlimited number of inbound VPN connections to the ISA Server without paying a penny more. Can you say the same with Checkpoint? HTH, Tom Thomas W Shinder www.isaserver.org/shinder http://tinyurl.com/1jq1 http://tinyurl.com/1llp -----Original Message----- From: Howard Griffith [mailto:hgriffith@xxxxxxxxxx] Sent: Wednesday, December 18, 2002 2:34 PM To: [ISAserver.org Discussion List] Subject: [isalist] FW1 between ISA and internal network http://www.ISAserver.org Yes, you read the subject correctly. The project team I am on has a person on it who thinks he is a firewall god. With my proposal to implement ISA server to publish our internal Exchange severs to the world came a backlash of defiancy. This guy does not give ISA any respect and doesn't even consider it to be a firewall that can stand on it's own. The guy wants me to put my ISA server between two checkpoint firewalls. Yes you read correctly, he wants to put a firewall between two firewalls. Why, I don't know. Probably because he's defensive about his checkpoint and doesn't want to lose control of it or something. Anyway, can someone give me a good solid reason that will be worth putting in my gun and shooting as to why this should NOT be done. Is there any reason at all, technically, that ISA has to be connected to the same segment as the Exchange servers? Any reason at all? Say for the secure connection to OWA, SMTP, POP3, IMAP, NNTP, anything at all?? TIA and HELP!!!! Howard List Sponsored by Aspelle Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server and the Internet to quickly and cost-effectively manage and deliver secure, client-less access to all corporate applications (Web, Unix, Windows and legacy systems), for all users. More info at http://www.aspelle.com/info ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')