RE: Using ISA for 1 IP Address on net with hardware firewall on other

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Tony Su (anonymous_at_discussions.microsoft.com)
Date: 07/08/04 

Date: Thu, 8 Jul 2004 09:42:07 -0700

It can work but <do not> follow sandaruwan's suggestion.

Security can be a bit tricky, though. If you're able I
recommend you obtain a copy of SBS (2K or 2K3 Premium) for
one configuration that is considered secure by many.

Main considerations:

You may decide to expose Exchange through the WAN interface
(the SBS default configuration) or use ISA's SMTP Server
Publishing which I think most ISA aficionados would
prefer. If you do the latter, be certain you do not
configure 127.0.0.1 as a permitted relay. Also, unless you
believe circuit level packet filtering sufficient
security, you should not list your WAN IP address as a
permitted relay.

Although you may find many SBS Authorities recommending
Server Publishing OWA, the default SBS2K3 installation
does not recommend this and I concur, in fact if you
deploy your OWA as subfolders of your Default Website this
can be a serious Security compromise. If you Server
Publish, deploy OWA on its own virtual website. If you Web
Publish, you can safely deploy OWA even if it is a part of
your Default Website and is by far the recommended way.

Any time you deploy websites through ISA and might
consider Web Publishing more than one website on multiple
IP addresses, you should configure individual Incoming Web
Listeneres, not one Listener for all addresses so that you
can configure each IP address separately. This becomes
critical if you configure security differently for each,
which would be the case if each website required its own
SSL certificate or some might require Basic or Integrated
authentication.

Tony Su

>-----Original Message-----
>Thanks for that. Wouldn't that affect the port settings
for the local network card though?
>
>Cheers,
>
>Jon.
>
>"anonymous@discussions.microsoft.com" wrote:
>
>> hi
>> it should work as i feel .make sure incomming request "
>> use the same listner configuration for all ip address"
use
>> this optin and see.
>> nothin like try .so go ahead
>>
>> cheers
>> sandaruwan
>> >-----Original Message-----
>> >Sounds weird huh?
>> >
>> >I have a firewall that currently forwards to a web
server
>> (2003) and exchange server (SBS 2003).
>> >
>> >I want to install ISA on the exchange server, give it
>> another public IP from our pool and configure to allow
for
>> OWA access on this IP.
>> >
>> >Could anyone confirm that this would work?
>> >
>> >I want the website to be on one IP address whilst OWA
to
>> be on another IP Address and I also want this to be
done
>> as cheaply as possible without having to alter the
>> hardware firewall... Hence the strange methodology.
>> >
>> >
>> >.
>> >
>>
>.
>

Relevant Pages