Would coming in thru the ISA server be better than an IIS server in the DMZ running OWA? Not leading, just asking, not very familiar with ISA.
----- Original Message ----- From: "Martin Blackstone" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Monday, March 18, 2002 10:21 AM Subject: RE: Front-End/Back-End Topology - Ex2K > SSL > > -----Original Message----- > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:48 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > How do you guys secure exchange with OWA and POP/IMAP if you don't put it in > a DMZ? > > > Matt > -----Original Message----- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:44 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > There should be a rotating tag line appended to each message; > > "Exchange doesn't belong in the DMZ" > "PST=BAD" > "BLB=BAD" > > Etc > > -----Original Message----- > From: missy koslosky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:22 AM > To: Exchange Discussions > Subject: Re: Front-End/Back-End Topology - Ex2K > > > Go with your instincts. Keep it out of the DMZ. > > There's lots of history on this in the archives of this list. > > Missy > ----- Original Message ----- > From: "Myles, Damian" <[EMAIL PROTECTED]> > To: "Exchange Discussions" <[EMAIL PROTECTED]> > Sent: Monday, March 18, 2002 7:47 AM > Subject: Front-End/Back-End Topology - Ex2K > > > Posted this on the ISA forums a few days ago, but thought it might be an > idea to post for discussion. > > A while back I tested a FE/BE topology with the FE server sitting on or DMZ, > opening numerous ports on our interior firewall to allow AD/GC lookups > through etc. Now it comes to actual putting these fruits of labour into > practice in a production environment, I'm far from convinced of the > rationale of placing a FE server on a DMZ, given the security implications > of doing so with regards the numerous open ports. I'm more inclined to > allow to publish the front-end server (on our LAN) and allow remote users to > connect through HTTPS, secured behind ISA, acknowledging there is always a > risk putting Internet-accessed resources on a production LAN. > > Since this is a back-to-back firewall, the following ports would need to be > opened > > Exterior Firewall > ----------------- > 443/TCP HTTPS > 25/TCP SMTP > 993/TCP IMAPS > > Interior Firewall > ----------------- > 80/TCP HTTP > 143/TCP IMAP > 25/TCP SMTP > 389/TCP LDAP > 389/UDP LDAP > 3268/TCP > 88/TCP KERBEROS > 88/UDP KERBEROS > 53/TCP DNS > 53/UDP DNS > 135/TCP RPC > 445/TCP NETLOGON > > I know a lot of the above can be secured over SSL and RPC limited to a > single port (rather than anything above 1024), and that I can tunnel HTTP > through IPSEC or VPN. However, since I'm using SecureNAT clients with ISA, > IPSEC isn't really viable. > > Would appreciate any feedback on this and to find out what the general > consensus of opinion is? > > Regards > Mylo > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
