It wouldn't be significantly different, but given the limited framing of the question, I'd say "yes". It's better to come through an ISA server to an OWA box on the inside network than to put OWA in the DMZ. All caveats included, of course.
-----Original Message----- From: Richard Leslie [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 10:44 AM To: Exchange Discussions Subject: Re: Front-End/Back-End Topology - Ex2K Would coming in thru the ISA server be better than an IIS server in the DMZ running OWA? Not leading, just asking, not very familiar with ISA. ----- Original Message ----- From: "Martin Blackstone" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Monday, March 18, 2002 10:21 AM Subject: RE: Front-End/Back-End Topology - Ex2K > SSL > > -----Original Message----- > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:48 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > How do you guys secure exchange with OWA and POP/IMAP if you don't put > it in > a DMZ? > > > Matt > -----Original Message----- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:44 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > There should be a rotating tag line appended to each message; > > "Exchange doesn't belong in the DMZ" > "PST=BAD" > "BLB=BAD" > > Etc > > -----Original Message----- > From: missy koslosky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:22 AM > To: Exchange Discussions > Subject: Re: Front-End/Back-End Topology - Ex2K > > > Go with your instincts. Keep it out of the DMZ. > > There's lots of history on this in the archives of this list. > > Missy > ----- Original Message ----- > From: "Myles, Damian" <[EMAIL PROTECTED]> > To: "Exchange Discussions" <[EMAIL PROTECTED]> > Sent: Monday, March 18, 2002 7:47 AM > Subject: Front-End/Back-End Topology - Ex2K > > > Posted this on the ISA forums a few days ago, but thought it might be > an idea to post for discussion. > > A while back I tested a FE/BE topology with the FE server sitting on > or DMZ, > opening numerous ports on our interior firewall to allow AD/GC lookups > through etc. Now it comes to actual putting these fruits of labour > into practice in a production environment, I'm far from convinced of > the rationale of placing a FE server on a DMZ, given the security > implications of doing so with regards the numerous open ports. I'm > more inclined to allow to publish the front-end server (on our LAN) > and allow remote users to > connect through HTTPS, secured behind ISA, acknowledging there is > always a risk putting Internet-accessed resources on a production LAN. > > Since this is a back-to-back firewall, the following ports would need > to be > opened > > Exterior Firewall > ----------------- > 443/TCP HTTPS > 25/TCP SMTP > 993/TCP IMAPS > > Interior Firewall > ----------------- > 80/TCP HTTP > 143/TCP IMAP > 25/TCP SMTP > 389/TCP LDAP > 389/UDP LDAP > 3268/TCP > 88/TCP KERBEROS > 88/UDP KERBEROS > 53/TCP DNS > 53/UDP DNS > 135/TCP RPC > 445/TCP NETLOGON > > I know a lot of the above can be secured over SSL and RPC limited to a > single port (rather than anything above 1024), and that I can tunnel > HTTP through IPSEC or VPN. However, since I'm using SecureNAT clients > with ISA, IPSEC isn't really viable. > > Would appreciate any feedback on this and to find out what the general > consensus of opinion is? > > Regards > Mylo > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
