There is some info on the how-tos at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/howto/isahow.asp They may help you decide on your course of action.
----- Original Message ----- From: "Charles Marriott" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Monday, December 09, 2002 6:15 PM Subject: RE: ISA Server implementation for Exchange > Don't ever put ISA on a DC. (unless you create a separate forest) > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Howard Griffith > Sent: Monday, December 09, 2002 3:44 PM > To: Exchange Discussions > Subject: ISA Server implementation for Exchange > > > Ok, here is the situation. I'm assigned to a project regarding Internet > Security and I've been pushed into a corner and need some help. > > How are most people deploying ISA Server within their company? Are they > adding it as a member of their AD domain or making it stand alone? > > Let me explain why I'm asking. Our company is looking at doing a more secure > DMZ. For my part of the project I need to present a way to continue to allow > access to our Exchange services to outside users, for this example, we'll > say just SMTP and OWA. > > Ok, here is the catch. Even though we already have a checkpoint firewall in > place on the outside border of the DMZ they feel that we should add another > firewall on the inside border and put ISA between them as a stand alone box. > While this will work, it's not exactly the best in my opinion. > > This is what I'm proposing but I need ammo to back it up. I'm telling them > leave the Checkpoint where it is and use the ISA server as the inside border > firewall and allow it to be a member of the AD domain. Put the web servers > in the DMZ (their decision not mine) and allow me to publish my Exchange > services with ISA to the outside world. Granted, even though this will all > still be behind the checkpoint firewall, they don't like it. They want a > completely disconnected DMZ. I've tried explaining the ins and outs about > how ISA will do just fine and block everything the way it should and how we > can do packet content level filtering but I'm still getting the "you're > wrong and stupid" looks from them. > > Can somebody point me in the right direction for GOOD technical or political > ammo to back up what I've recommended. Or am I whistling in the wind???? > > TIA, > Howard > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
