ISA is a better solution in a DMZ because it doesn't require the plethora of holes in the internal firewall.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/deploy/isaexch.asp Requiring VPN (your other message) is a good idea, however, you may be coming back to ISA or some other idea when your users demand to be able to get e-mail from a coffeehouse kiosk terminal. Ed --- Erick Thompson <[EMAIL PROTECTED]> wrote: > I have to admit to being a little confused, how > would ISA help, aside from being a proxy? Which > isn't nothing, but I'm wondering if I'm missing > something else. > > Thanks, > Erick > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > Behalf Of Webb, Andy > > Sent: Wednesday, September 17, 2003 7:04 AM > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and > security > > > > > > Don't forget you also have to fully protect the > front end server from > > all the other servers on the DMZ from which it is > not isolated. > > > > Those other systems may have been placed on the > DMZ in an > > insecure state > > with the thought that if anyone broke them, they > would be > > isolated from > > the internal LAN. What happens when you put the > FE in the DMZ is you > > break that theory. The DMZ is no longer isolated > from the LAN. > > > > You definitely have to secure the FE, but once you > have, why > > not put it > > inside where it is not at risk from questionable > systems on the DMZ? > > > > Better to put an ISA server in the DMZ as was > suggested earlier. > > > > Regarding IPSEC, Exchange 2003 explicitly states > that IPSEC is now > > supported between front end and back end. So if > you upgrade, that's > > perhaps an option. Though a lesser one than using > ISA imho. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > Behalf Of Leeann > > McCallum > > Sent: Tuesday, September 16, 2003 6:32 PM > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and > security > > > > You could throw an OWA front end server in the > DMZ, put certificate on > > as Ed suggests, and then wrap everything up in an > IPSEC > > packet that goes > > between the front end and backend. Between the > client on the net and > > the front end, you would use SSL, so just open > 443. > > > > > > > > -----Original Message----- > > From: Erick Thompson [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, 17 September 2003 11:29 a.m. > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and > security > > > > > > Ed, > > > > I'm a little confused. You're recommending that I > put in a front end > > server, but not in the DMZ? It seems to me that I > might have to open a > > bunch of ports, but if the front end server is in > the LAN, > > all ports are > > by default open. > > > > Just to clarify, I have one Exchange server which > lives on my LAN, and > > there is an SMTP server in my DMZ that relays > messages to the Exchange > > server. At the moment, I don't have any other > Exchange > > servers running. > > > > Thanks, > > Erick > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] > Behalf Of Ed Crowley > > > Sent: Tuesday, September 16, 2003 4:25 PM > > > To: Exchange Discussions > > > Subject: Re: OWA front end server - licensing > and security > > > > > > > > > Instal a certificate on the front-end server and > open port > > 443 to the > > > front-end server. Putting a front-end server in > a DMZ > > requires you to > > > > > open lots of dangerous ports through the > internal firewall to the > > > Exchange servers, DCs and GCs. > > > > > > Ed > > > > > > --- Erick Thompson <[EMAIL PROTECTED]> wrote: > > > > I'm setting up OWA in my organization, and I > have two > > choices. I can > > > > > > set up Exchange on the web server (in the > DMZ), and > > specify it as a > > > > front end server, or I can open port 80 to the > primary Exchange > > > > server. From a security standpoint, I really > like the > > first option, > > > > but I'm thinking that I need a second Exchange > Enterprise > > license. > > > > Am I correct in this? > > > > > > > > Am I being too paranoid about opening port 80 > through to the > > > > internal Exchange server? I've never liked the > idea of > > raw traffic > > > > entering my LAN.... > > > > > > > > Thanks, > > > > Erick > > > > > > > > > > > > _________________________________________________________________ > > > > List posting FAQ: > > > > http://www.swinc.com/resource/exch_faq.htm > > > > Web Interface: > > > > > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > ext_mode=&lang=english > > > To unsubscribe: > > > mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! SiteBuilder - Free, easy-to-use web site > design software > > http://sitebuilder.yahoo.com > > > > > _________________________________________________________________ > > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang > =english > To unsubscribe: > mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; > lang > =english > To unsubscribe: > mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > === message truncated === __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
