Re: Using ISA for 1 IP Address on net with hardware firewall on ot

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: A Klimkin (aklimkin)
Date: 07/09/04 

Date: Fri, 9 Jul 2004 14:24:33 +0400

Ah, well. Meanwhile I started to think you have accidentally fallen asleep
and your forefinger has got stuck with mouse cursor on the 'Send' button...
;-)

Regards,
Andrew

"Jon Eden" <JonEden@discussions.microsoft.com> wrote in message
news:86450772-9422-4625-89CC-F78340EF882F@microsoft.com...
> Whoops. If anyone else uses the MS interface to this newsgroup watch out.
When it tells you a post hasn't been made due to some server error, it
probably has gone through as you can see from the multiple posts I made....
>
> "Jon Eden" wrote:
>
> > Tony,
> >
> > Many thanks for the advise. We do have SBS 2003 Premium so as far as
cost goes ISA server won't cost anything extra. Ive just put the extra
network card into the server but now think that Ill have to do a thorough
read on the issues that youve pointed out.
> >
> > Thanks again & Best Regards,
> >
> > Jon
> >
> > "Tony Su" wrote:
> >
> > > It can work but <do not> follow sandaruwan's suggestion.
> > >
> > > Security can be a bit tricky, though. If you're able I
> > > recommend you obtain a copy of SBS (2K or 2K3 Premium) for
> > > one configuration that is considered secure by many.
> > >
> > > Main considerations:
> > >
> > > You may decide to expose Exchange through the WAN interface
> > > (the SBS default configuration) or use ISA's SMTP Server
> > > Publishing which I think most ISA aficionados would
> > > prefer. If you do the latter, be certain you do not
> > > configure 127.0.0.1 as a permitted relay. Also, unless you
> > > believe circuit level packet filtering sufficient
> > > security, you should not list your WAN IP address as a
> > > permitted relay.
> > >
> > > Although you may find many SBS Authorities recommending
> > > Server Publishing OWA, the default SBS2K3 installation
> > > does not recommend this and I concur, in fact if you
> > > deploy your OWA as subfolders of your Default Website this
> > > can be a serious Security compromise. If you Server
> > > Publish, deploy OWA on its own virtual website. If you Web
> > > Publish, you can safely deploy OWA even if it is a part of
> > > your Default Website and is by far the recommended way.
> > >
> > > Any time you deploy websites through ISA and might
> > > consider Web Publishing more than one website on multiple
> > > IP addresses, you should configure individual Incoming Web
> > > Listeneres, not one Listener for all addresses so that you
> > > can configure each IP address separately. This becomes
> > > critical if you configure security differently for each,
> > > which would be the case if each website required its own
> > > SSL certificate or some might require Basic or Integrated
> > > authentication.
> > >
> > > Tony Su
> > >
> > >
> > >
> > > >-----Original Message-----
> > > >Thanks for that. Wouldn't that affect the port settings
> > > for the local network card though?
> > > >
> > > >Cheers,
> > > >
> > > >Jon.
> > > >
> > > >"anonymous@discussions.microsoft.com" wrote:
> > > >
> > > >> hi
> > > >> it should work as i feel .make sure incomming request "
> > > >> use the same listner configuration for all ip address"
> > > use
> > > >> this optin and see.
> > > >> nothin like try .so go ahead
> > > >>
> > > >> cheers
> > > >> sandaruwan
> > > >> >-----Original Message-----
> > > >> >Sounds weird huh?
> > > >> >
> > > >> >I have a firewall that currently forwards to a web
> > > server
> > > >> (2003) and exchange server (SBS 2003).
> > > >> >
> > > >> >I want to install ISA on the exchange server, give it
> > > >> another public IP from our pool and configure to allow
> > > for
> > > >> OWA access on this IP.
> > > >> >
> > > >> >Could anyone confirm that this would work?
> > > >> >
> > > >> >I want the website to be on one IP address whilst OWA
> > > to
> > > >> be on another IP Address and I also want this to be
> > > done
> > > >> as cheaply as possible without having to alter the
> > > >> hardware firewall... Hence the strange methodology.
> > > >> >
> > > >> >
> > > >> >.
> > > >> >
> > > >>
> > > >.
> > > >
> > >

Quantcast