Anyone using ISA 2006 with Exchange 2007

[Deathwish]

Just wondering how you have your network configured regarding OWA publishing? We have a single ISA 2006 box with a single NIC on the LAN. This is listening on 443. The core firewall is then allowing the public IP to pass through to the ISA box on 443.

Our security officer is not convinced by this and is of the opinion that everything external facing should be in the DMZ.

Has anyone else come across this, and/or are we doing it wrong?

Cheers

 

[oddjob62]

Diagram perhaps... ISA should have at least 2 nics, one for internal one for external. Unless you're using it just as a proxy

 

[Deathwish]

[Internet] --Port443--> [Hardware Core Firewall] --Port443--> [ISA on LAN Single NIC]

Our old Exchange 2003 Front-End went:

[Internet] --Port443--> [Hardware Core Firewall] --Port443--> [OWA on DMZ] --LotsofPorts--> [Ex2003 on LAN]

 

[mdjmcnally]

I personally would not deploy an Internet Accessible box on our LAN, only onto a DMZ.

I would always deploy the ISA to a DMZ if using for publishing. If just being used as a Web Proxy then would put on the LAN.

Wether I would deploy as 1 NIC or 2, I am, not sure, however I would be more inclined to deploy a 2 NIC solution so that can use the Firewall features of the ISA 2006.

I would not say you are doing it wrong, but you could be doing this more right.

If you have the ISA2006 on the DMZ, then all you need to allow is a HTTPS from the ISA to the Exchange 2007 CAS Server on the LAN, obviously need authentication through to auth server but again that is not much.