OK. That's just about exactly what I was looking for. Thanks much! ********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 **********************
> -----Original Message----- > From: knighTslayer [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 22, 2004 11:20 AM > To: Exchange Discussions > Subject: RE: DMZ ports for Front End Server > > You need to read this MS document: > > http://www.microsoft.com/technet/prodtechnol/exchange/2003/lib > rary/uisaex03. > mspx > > If you want to use a DMZ from your PIX then you need to > ensure that you have > a free interface or a DMZ already configured. I'm sure the > 515E comes with > just two interfaces and you add an extra expansion card for > more interfaces. > Anyway, you should place the ISA server in the DMZ and have the public > address that you have available NAT (Network Address > Translate) to the DMZ. > The ISA server in the DMZ should use the default gateway of the DMZ > interface on the PIX. Make sure that the devices inside can > route to the > DMZ too. You then need to configure access rules as such: > > If you want to have http access to the Web Server/OWA > -> Outside NAT=> ISAinDMZ allow 80 (ISAinDMZ will be a Public > IP NAT to the > IP of the ISAserver in the DMZ) > You don't need this but users must remember the HTTPS in the > URL otherwise. > > You then need to have HTTPS > -> Outside NAT=> ISAinDMZ allow 443 (ISAinDMZ will be a > Public IP NAT to the > IP of the ISAserver in the DMZ) > > You then need to have ISA talk to the FE server inside > -> ISAinDMZ to FEinLAN allow 80 > -> ISAinDMZ to FEinLAN allow 443 > > That is all you need to publish OWA. I expect you have the > SSL certificate > sorted etc... > > Always seek the advice of you firewall consultant/team. > > Hope this helps. > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Charlie > Kaiser > Sent: 22 July 2004 18:03 > To: Exchange Discussions > Subject: RE: DMZ ports for Front End Server > > OK, so if I want to protect with a PIX and ISA 2004 to > publish E2K3 for > OWA/OMA, what's the recommended setup? Any good docs? What > I've read so far > is kinda pointing me to ISA in the DMZ, with E2K3 FE & BE inside the > network. That way I don't have to open the RPC over HTTP or > FE/BE holes in > the firewall; is that about right? We're running 5.5 now with > no OWA, so it > will be a big change in exposure for us. > I've found docs on ISA and publishing E2K3, but not about > where it fits with > the PIX acting as the first line of defense... > I'm also looking into configuring the ISA server as an SMTP > relay to further > limit exposure of the E2K3 server... > > ********************** > Charlie Kaiser > MCSE, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ********************** > > > > -----Original Message----- > > From: Martin Blackstone [mailto:[EMAIL PROTECTED] > > Sent: Thursday, July 22, 2004 9:36 AM > > To: Exchange Discussions > > Subject: RE: DMZ ports for Front End Server > > > > Yes. People have had a number of issues with it over time. > > http://www.google.com/search?sourceid=navclient&ie=UTF-8&q=Exc > > hange+SMTP+Fix > > up > > > > http://support.microsoft.com/?kbid=320027 > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Charlie Kaiser > > Sent: Thursday, July 22, 2004 9:34 AM > > To: Exchange Discussions > > Subject: RE: DMZ ports for Front End Server > > > > Be careful with what exactly? Fixup? > > > > ********************** > > Charlie Kaiser > > MCSE, CCNA > > Systems Engineer > > Essex Credit / Brickwalk > > 510 595 5083 > > ********************** > > > > > > > -----Original Message----- > > > From: Martin Blackstone [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, July 22, 2004 9:11 AM > > > To: Exchange Discussions > > > Subject: RE: DMZ ports for Front End Server > > > > > > Be careful with that. It causes a number of issues as well. > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > Charlie Kaiser > > > Sent: Thursday, July 22, 2004 9:06 AM > > > To: Exchange Discussions > > > Subject: RE: DMZ ports for Front End Server > > > > > > OK. Thanks! > > > > > > ********************** > > > Charlie Kaiser > > > MCSE, CCNA > > > Systems Engineer > > > Essex Credit / Brickwalk > > > 510 595 5083 > > > ********************** > > > > > > > > > > -----Original Message----- > > > > From: knighTslayer [mailto:[EMAIL PROTECTED] > > > > Sent: Thursday, July 22, 2004 8:17 AM > > > > To: Exchange Discussions > > > > Subject: RE: DMZ ports for Front End Server > > > > > > > > The closest thing to ensuring that all is good in the > > packet is the > > > > 'fixup protocol http' command. > > > > > > > > Though this is limited and addresses issues like: > > > > > > > > URL logging of GET messages > > > > URL screening through N2H2 or Websense Java and ActiveX > filtering > > > > > > > > These functions are for inside requests from the > > (O)utside of a PIX. > > > > > > > > Nothing on HTTPS either. > > > > > > > > So, I'd say no, or unless there is a revision that does > > support it > > > > that I don't know about. Maybe wait until a revision of the > > > software > > > > becomes available that does deep packet inspection (DPI) as > > > I believe > > > > all firewall vendors are moving this way. > > > > > > > > So, ISA behind a Pix for you then! > > > > > > > > K > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On > > Behalf Of > > > > Charlie Kaiser > > > > Sent: 22 July 2004 15:09 > > > > To: Exchange Discussions > > > > Subject: RE: DMZ ports for Front End Server > > > > > > > > 515; 6.3(1) > > > > > > > > ********************** > > > > Charlie Kaiser > > > > MCSE, CCNA > > > > Systems Engineer > > > > Essex Credit / Brickwalk > > > > 510 595 5083 > > > > ********************** > > > > > > > > > > > > > -----Original Message----- > > > > > From: knighTslayer [mailto:[EMAIL PROTECTED] > > > > > Sent: Thursday, July 22, 2004 7:02 AM > > > > > To: Exchange Discussions > > > > > Subject: RE: DMZ ports for Front End Server > > > > > > > > > > PIX model and IOS ver? > > > > > > > > > > Thanks > > > > > > > > > > K > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On > > > Behalf Of > > > > > Charlie Kaiser > > > > > Sent: 22 July 2004 14:41 > > > > > To: Exchange Discussions > > > > > Subject: RE: DMZ ports for Front End Server > > > > > > > > > > I'm not a firewall guy, so excuse me if this sounds ignorant. > > > > > :-) Will a PIX > > > > > do this? I'm wondering if we can use our current PIX to do > > > > this or if > > > > > I need to put in ISA if I plan to go this route when > we do our > > > > > upcoming E2K3 migration. > > > > > Any documentation pointers would be wonderful... > > > > > Thanks! > > > > > > > > > > ********************** > > > > > Charlie Kaiser > > > > > MCSE, CCNA > > > > > Systems Engineer > > > > > Essex Credit / Brickwalk > > > > > 510 595 5083 > > > > > ********************** > > > > > > > > > > > > > > > > I'm pretty sure that this box can do this, only way to find > > > > > out is to > > > > > > give > > > > > > it a go. It should be documented. > > > > > > > > > > > > It is of my opinion that if you have a decent firewall > > > > and you are > > > > > > publishing services such as SMTP, FTP, HTTP, HTTPS or > > > > anything tcp > > > > > > based, then you should always use the proxy function on the > > > > > firewall. > > > > > > Depending on the firewall, it will protect against > > > > protocol attacks > > > > > > and more. > > > > > > > > > > > > ISA is a solution, but it adds an extra box to the > > > topology, its > > > > > > another machine to patch, maintain, license, power, air > > > > > condition etc. > > > > > > etc... > > > > > > > > > > > > _________________________________________________________________ > > > > > List posting FAQ: > > http://www.swinc.com/resource/exch_faq.htm > > > > > Web Interface: > > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > > > ext_mode=&lang > > > > > =english > > > > > To unsubscribe send a blank email to %%email.unsub%% > > > > > Exchange List admin: [EMAIL PROTECTED] > > > > > To unsubscribe via postal mail, please contact us at: > > > > > Jupitermedia Corp. > > > > > Attn: Discussion List Management > > > > > 475 Park Avenue South > > > > > New York, NY 10016 > > > > > > > > > > Please include the email address which you have been > > > contacted with. > > > > > > > > > > > > > > > > > _________________________________________________________________ > > > > > List posting FAQ: > > http://www.swinc.com/resource/exch_faq.htm > > > > > Web Interface: > > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > > > ext_mode=&lang=english > > > > > To unsubscribe send a blank email to %%email.unsub%% > > > > > Exchange List admin: [EMAIL PROTECTED] > > > > > To unsubscribe via postal mail, please contact us at: > > > > > Jupitermedia Corp. > > > > > Attn: Discussion List Management > > > > > 475 Park Avenue South > > > > > New York, NY 10016 > > > > > > > > > > Please include the email address which you have been > > > contacted with. > > > > > > > > > > > > > > _________________________________________________________________ > > > > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > > > > Web Interface: > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > > ext_mode=&lang > > > > =english > > > > To unsubscribe send a blank email to %%email.unsub%% > > > > Exchange List admin: [EMAIL PROTECTED] > > > > To unsubscribe via postal mail, please contact us at: > > > > Jupitermedia Corp. > > > > Attn: Discussion List Management > > > > 475 Park Avenue South > > > > New York, NY 10016 > > > > > > > > Please include the email address which you have been > > contacted with. > > > > > > > > > > > > > _________________________________________________________________ > > > > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > > > > Web Interface: > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > > ext_mode=&lang=english > > > > To unsubscribe send a blank email to %%email.unsub%% > > > > Exchange List admin: [EMAIL PROTECTED] > > > > To unsubscribe via postal mail, please contact us at: > > > > Jupitermedia Corp. > > > > Attn: Discussion List Management > > > > 475 Park Avenue South > > > > New York, NY 10016 > > > > > > > > Please include the email address which you have been > > contacted with. > > > > > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Web Interface: > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > ext_mode=&lang > > > =english > > > To unsubscribe send a blank email to %%email.unsub%% > > > Exchange List admin: [EMAIL PROTECTED] > > > To unsubscribe via postal mail, please contact us at: > > > Jupitermedia Corp. > > > Attn: Discussion List Management > > > 475 Park Avenue South > > > New York, NY 10016 > > > > > > Please include the email address which you have been > contacted with. > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Web Interface: > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > ext_mode=&lang=english > > > To unsubscribe send a blank email to %%email.unsub%% > > > Exchange List admin: [EMAIL PROTECTED] > > > To unsubscribe via postal mail, please contact us at: > > > Jupitermedia Corp. > > > Attn: Discussion List Management > > > 475 Park Avenue South > > > New York, NY 10016 > > > > > > Please include the email address which you have been > contacted with. > > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > ext_mode=&lang > > =english > > To unsubscribe send a blank email to > > %%email.unsub%% > > Exchange List admin: [EMAIL PROTECTED] > > To unsubscribe via postal mail, please contact us at: > > Jupitermedia Corp. > > Attn: Discussion List Management > > 475 Park Avenue South > > New York, NY 10016 > > > > Please include the email address which you have been contacted with. > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > ext_mode=&lang=english > > To unsubscribe send a blank email to > > %%email.unsub%% > > Exchange List admin: [EMAIL PROTECTED] > > To unsubscribe via postal mail, please contact us at: > > Jupitermedia Corp. > > Attn: Discussion List Management > > 475 Park Avenue South > > New York, NY 10016 > > > > Please include the email address which you have been contacted with. > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang > =english > To unsubscribe send a blank email to > %%email.unsub%% > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang=english > To unsubscribe send a blank email to > %%email.unsub%% > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
