RE: Using ISA for 1 IP Address on net with hardware firewall on ot

From: Jon Eden (JonEden_at_discussions.microsoft.com)
Date: 07/09/04 

Date: Fri, 9 Jul 2004 01:49:01 -0700

Whoops. If anyone else uses the MS interface to this newsgroup watch out. When it tells you a post hasn't been made due to some server error, it probably has gone through as you can see from the multiple posts I made....

"Jon Eden" wrote:

> Tony,
>
> Many thanks for the advise. We do have SBS 2003 Premium so as far as cost goes ISA server won't cost anything extra. Ive just put the extra network card into the server but now think that Ill have to do a thorough read on the issues that youve pointed out.
>
> Thanks again & Best Regards,
>
> Jon
>
> "Tony Su" wrote:
>
> > It can work but <do not> follow sandaruwan's suggestion.
> >
> > Security can be a bit tricky, though. If you're able I
> > recommend you obtain a copy of SBS (2K or 2K3 Premium) for
> > one configuration that is considered secure by many.
> >
> > Main considerations:
> >
> > You may decide to expose Exchange through the WAN interface
> > (the SBS default configuration) or use ISA's SMTP Server
> > Publishing which I think most ISA aficionados would
> > prefer. If you do the latter, be certain you do not
> > configure 127.0.0.1 as a permitted relay. Also, unless you
> > believe circuit level packet filtering sufficient
> > security, you should not list your WAN IP address as a
> > permitted relay.
> >
> > Although you may find many SBS Authorities recommending
> > Server Publishing OWA, the default SBS2K3 installation
> > does not recommend this and I concur, in fact if you
> > deploy your OWA as subfolders of your Default Website this
> > can be a serious Security compromise. If you Server
> > Publish, deploy OWA on its own virtual website. If you Web
> > Publish, you can safely deploy OWA even if it is a part of
> > your Default Website and is by far the recommended way.
> >
> > Any time you deploy websites through ISA and might
> > consider Web Publishing more than one website on multiple
> > IP addresses, you should configure individual Incoming Web
> > Listeneres, not one Listener for all addresses so that you
> > can configure each IP address separately. This becomes
> > critical if you configure security differently for each,
> > which would be the case if each website required its own
> > SSL certificate or some might require Basic or Integrated
> > authentication.
> >
> > Tony Su
> >
> >
> >
> > >-----Original Message-----
> > >Thanks for that. Wouldn't that affect the port settings
> > for the local network card though?
> > >
> > >Cheers,
> > >
> > >Jon.
> > >
> > >"anonymous@discussions.microsoft.com" wrote:
> > >
> > >> hi
> > >> it should work as i feel .make sure incomming request "
> > >> use the same listner configuration for all ip address"
> > use
> > >> this optin and see.
> > >> nothin like try .so go ahead
> > >>
> > >> cheers
> > >> sandaruwan
> > >> >-----Original Message-----
> > >> >Sounds weird huh?
> > >> >
> > >> >I have a firewall that currently forwards to a web
> > server
> > >> (2003) and exchange server (SBS 2003).
> > >> >
> > >> >I want to install ISA on the exchange server, give it
> > >> another public IP from our pool and configure to allow
> > for
> > >> OWA access on this IP.
> > >> >
> > >> >Could anyone confirm that this would work?
> > >> >
> > >> >I want the website to be on one IP address whilst OWA
> > to
> > >> be on another IP Address and I also want this to be
> > done
> > >> as cheaply as possible without having to alter the
> > >> hardware firewall... Hence the strange methodology.
> > >> >
> > >> >
> > >> >.
> > >> >
> > >>
> > >.
> > >
> >

Relevant Pages

  • RE: [Owasp-dotnet] Re: (Asp.Net Full Trust Vulnerabilities) RE: Apache VS IIS Security model questio
    ... > b) Each client of the server (say, each department of a company, or each ... > c) Each website is placed into its own custom application pool ... password attack to all accounts. ... download the ANBS (Asp.Net Baseline Security) Open Source tool (that I ...
    (Pen-Test)
  • Re: Cant open websites from Front Page
    ... For the files found which are in your website folder structure, ... Restart the server if possible to ensure files are unlocked. ... But they gave me no option to 'delete' the lock file. ... how FP security and NTFS security combine to give the effective rights. ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: Limit some users?
    ... Then the simple way would be to find a Web Hoster and have them host your ... can still visit the website, and you have control of its content. ... Reality is, as soon as you put a server up, the entire world will visit it, ... When you talk about Computers and Security, it is like talking about Cars ...
    (microsoft.public.inetserver.iis.security)
  • [Full-Disclosure] RE: [Owasp-dotnet] Re: (Asp.Net Full Trust Vulnerabilities) RE: Apache VS IIS Secu
    ... > b) Each client of the server (say, each department of a company, or each ... > c) Each website is placed into its own custom application pool ... ALL website's Metabase entries, then the malicious script could (after ... download the ANBS (Asp.Net Baseline Security) Open Source tool (that I ...
    (Full-Disclosure)
  • Re: Pre Dev Q - Please
    ... > this to understand that if a user to connect to the server that they would ... Using X does not mean necessarily using a browser interface. ... Security of data on the server, and on the client machine, is ...
    (comp.os.linux.questions)