Re: Where do I put Exchange Server?

From: Tristan Kington [MSFT] (tristank_at_online.microsoft.com)
Date: 05/15/04

  • Next message: Sam: "Re: Where do I put Exchange Server?" 
    Date: Sat, 15 May 2004 16:32:37 +1000

    Sorry, I got the impression from your other posts that you wanted opinions -
    there are prescriptive guides available:

    http://www.microsoft.com/isaserver/techinfo/howto/default.asp

    http://www.tacteam.net/isaserverorg/exchangekit/

    I'm not sure of OWA can be front-ended by a lone IIS server; again, the DMZ
    isn't the right place for it with ISA 2000. Instead, ISA sits out front,
    providing secure publishing for internal servers. 

    -- 
This posting is provided "AS IS" with no warranties, and confers no rights.
"Sam" <sam@iQinternet.com> wrote in message 
news:OVh51VjOEHA.2524@TK2MSFTNGP11.phx.gbl...
Hi,
I think it's important to follow some "best practices" from Microsoft rather
than follow our own ideas which may make perfect sense to us. I have a bunch
of related questions:
1. Is anyone aware of any "templates" Microsoft published about how to best
set up a secure network? This would really take the guesswork out of the
equation.
2. Does anyone know if there will be better application protection in the
DMZ in ISA Server 2004?
3. Speaking of ISA Server 2004, I saw some screen shots of it. MS seems to
have "templates" in ISA 2004. This is really a wonderful idea. Again, it
just takes the guesswork out of the equation.
The research I've done seems to indicate that everyone recommends keeping
Exchange in the internal. One interesting idea was to have an IIS machine in
the DMZ that would act as a front end to Exchange OWA. This makes a lot of
sense. Instead of keeping a full  blown Exchange in the DMZ, it's a lot more
cost efficient to keep an IIS in the DMZ. I wonder if I could use Windows
Server 2003 Web Edition for this purpose. I think W2K3 Web Edition is one of
the best ideas MS came up with.
Again, I'd appreciate your thoughts on these points. Thank you all...
Sam
"Tristan Kington [MSFT]" <tristank@online.microsoft.com> wrote in message
news:OnmeIGLOEHA.2100@TK2MSFTNGP11.phx.gbl...
> Just to chime in with my two cents' worth:
>
> ISA provides application-layer filtering protection for servers that are
on
> its internal network only. The only protection provided to perimeter
> networks is packet filtering, for which you might as well just use a
router
> with packet filters.
>
> The ISA DMZ (perimeter network) is actually NATted to the internal
network,
> so domain members generally won't be able to sit there without issue
> (domains weren't designed to be NATted).
>
> So, depending on how your DMZ is defined (is this the ISA DMZ or a
> pre-existing DMZ in which the ISA is a member?), you actually get better
> protection and less hassle when publishing a server behind the ISA server,
> rather than "to the side" of the ISA Server, and provide better service to
> clients while doing this.
>
> If you've multiple firewalls and an existing DMZ already, add ISA to the
DMZ
> as a secured publishing host between the external firewall and the inner
> network; you can filter the traffic on the way in and out. If you're just
> using one ISA Server, you'll have less setup and maintenance hassles by
> publishing internal servers than putting them in a DMZ, and you'll
> potentially be able to benefit from pre-authentication of web requests for
> OWA and other web sites as well (without going into the SMTP filtering
etc -
> or even add more hosts/services to do the SMTP filtering).
>
> Essentially, at some point the data from outside needs to get inside; how
> well-scrubbed it is by that time is up to you!
> -- 
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Sam" <sam@iQinternet.com> wrote in message
> news:ePY%23%23TeNEHA.2884@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> Where should I put our Exchange Server, on the Internal network or the
DMZ?
> Thanks.
>
> Sam
>
>
>
  • Next message: Sam: "Re: Where do I put Exchange Server?"

    Relevant Pages

    • Re: ISA 2006 configuration question - multiple VLANs and domains
      ... very familiar with network segments vs. domains et. al. ... multihomed ISA 2006 server forward a DHCP request to the proper VLAN ... ISA is a Firewall Product designed to protect a network from the Internet. ...
      (microsoft.public.isa.configuration)
    • RE: Firewall service and remoteaccess service shut down frequently
      ... Do you have run the CEICW after installing the ISA components? ... please open SBS server management console, ... Click the Add Adapter button, and add your internal network adapter ... Meanwhile, from the subject, you said you the firewall service and RRAS ...
      (microsoft.public.windows.server.sbs)
    • RE: 504 Proxy timeout only with SSL traffic
      ... Is the Internal and DMZ network separated within ISA with two different ... Does your ISA Server have 3x NICs? ...
      (microsoft.public.isa)
    • Re: VPN breaks after installing patches
      ... I have just received your email due to some network traffic problems. ... access the network shares was denied by ISA Server. ... Open the Server management console, navigate to "Internet and E-mail", ...
      (microsoft.public.windows.server.sbs)
    • Re: Connect the SBS to a remote IIS for Internet Printing
      ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
      (microsoft.public.windows.server.sbs)
    Loading