Posted this on the ISA forums a few days ago, but thought it might be an idea to post for discussion.
A while back I tested a FE/BE topology with the FE server sitting on or DMZ, opening numerous ports on our interior firewall to allow AD/GC lookups through etc. Now it comes to actual putting these fruits of labour into practice in a production environment, I'm far from convinced of the rationale of placing a FE server on a DMZ, given the security implications of doing so with regards the numerous open ports. I'm more inclined to allow to publish the front-end server (on our LAN) and allow remote users to connect through HTTPS, secured behind ISA, acknowledging there is always a risk putting Internet-accessed resources on a production LAN. Since this is a back-to-back firewall, the following ports would need to be opened Exterior Firewall ----------------- 443/TCP HTTPS 25/TCP SMTP 993/TCP IMAPS Interior Firewall ----------------- 80/TCP HTTP 143/TCP IMAP 25/TCP SMTP 389/TCP LDAP 389/UDP LDAP 3268/TCP 88/TCP KERBEROS 88/UDP KERBEROS 53/TCP DNS 53/UDP DNS 135/TCP RPC 445/TCP NETLOGON I know a lot of the above can be secured over SSL and RPC limited to a single port (rather than anything above 1024), and that I can tunnel HTTP through IPSEC or VPN. However, since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. Would appreciate any feedback on this and to find out what the general consensus of opinion is? Regards Mylo _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
