A good thing to consider is ISA Server. FE/BE is really only designed for load distribution so having them both "inside" is fine with only ISA in DMZ. Then just publish Exchange on ISA. I think Exchange needs to be a Secure NAT Client.
Just MHO. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Darin Sent: Monday, December 09, 2002 5:24 PM To: Exchange Discussions Subject: DMZ Options We are on in the process of planning an exchange migration from GroupWise. We are looking at how the Front-End Design is going to be regarding OWA. I have read the Front-End Server Whitepaper and it appears that the best way is to have Users establish an SSL connection to a Front-End Server in a DMZ having only port 443 open on the Inter Fireall, then have IPSEC tunnel between the Front and Back-End Server having ports 51,50, 500/UDP and 88TCP/UDP open on the Intra Firewall. Another administrator had the idea of putting both Front and Back End Servers on the Internal Network and instead putting in an apache server in the DMZ and have the user create an SSL connection to the Apache Server, and then have that Server do a mod-proxy SSL connection to the Front-End Server. Therefore only having port 443 open on the Inter and Intra Firewall. Is this a better design in regards to security? _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
