Re: DC+EXCHANGE in LAN, ISA on DMZ

Tech-Archive recommends: Speed Up your PC by fixing your registry

---

• From: "Ed Crowley [MVP]" <curspice@xxxxxxxxxx>
• Date: Tue, 19 Aug 2008 09:16:14 -0700

---

Answers inline below.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
..

"M. Simioni" <m.simioni@xxxxxxxxx> wrote in message
news:ec968bfa-7e43-4886-8bb7-c5b1ccfcd3f6@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi All,

reading your answer in my previous post i decided to plan things like
this:

- SERVER A: Windows Server 2008 + Exchange 2007 in LAN Network
(private IPs), Domain Controller
- SERVER B: Windows Server 2008 + ISA Server 2006 in DMZ Network
(public IP)

Now my questions are:

- As the ISA server is separated from LAN, should it be a domain
member or not?

Not. Opening your DMZ to access the domain is an enormous security hole and
defeats a lot of the reason for using ISA.

Should i let him in a worgroup?

A workgroup is just a designation for servers not in a domain. If it's not
a domain member, then it's a workgroup member. There's no security effect
to a workgroup, so it really doesn't matter if you put it in the same or a
different workgroup than other servers.

If i configure it as a
domain member BEFORE publishing it with a public IP in DMZ, what will
happen then?

Don't make it a domain member.

Should i enable certain rules at the firewall level?

You might ask an ISA newsgroup about that, but my experience with ISA is
that it takes care of all that.

- Outlook 2007 clients in LAN network should point to SERVER A, while
external clients should point to isa server ?

Yes. External clients shouldn't be able to see SERVER A at all.

What if a roaming client
(a notebook with Outlook 2007) connects sometime from LAN network and
sometime from external network?

That can be a problem is your namespaces outside and inside are different,
one of the reasons I like a split-brain DNS. If you configure Outlook
clients to use Outlook Anywhere then they'll figure out how to connect
externally and internally automatically.

I googled a little but can't find a good howto: can you point me a
guide about best practices to publish an ISA server in DMZ network
under a Domain network (not a workgroup) ?

Best practice is to not do that.

Thank you i.a.

Marco

.

---

• References:
  • DC+EXCHANGE in LAN, ISA on DMZ
    • From: M. Simioni

• Prev by Date: Re: idiot idiot idiot...I screwed up!
• Next by Date: Re: Event ID 4522 After Installation of Exchange 2007 on Cluster Node
• Previous by thread: DC+EXCHANGE in LAN, ISA on DMZ
• Index(es):
  • Date
  • Thread

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Exchange  > microsoft.public.exchange.setup  > 2008-08