Re: REPOST - Phillip Windell + ZVR Please take a look please! Any input ????
- From: "ZVR" <nospamever@xxxxxx>
- Date: Fri, 28 Oct 2005 05:05:45 -0400
OK, now I understand. DMZ2 in your scenario was reffering to a perimeter
network from ISA not from PIX. Yes in that case you can keep the Exchange FE
server in DMZ2 with the BE in LAN but as you said if this is not a large
site it might be overkill.
Virgil
"Julian Dragut" <julianmd@xxxxxxxxxx> wrote in message
news:OMc8uu32FHA.1420@xxxxxxxxxxxxxxxxxxxxxxx
> Ideally, I would be able to have one FrontEnd Exchange Box in DMZ2 and the
> BackEnd Exchange Box behind ISA, but the setup "yells" overhead. That's a
> tough one actually because PIX doesn't handle very well RPC .....
> The reason I said 2DMZ's is because PIX 515 comes with it's own DMZ
> interface...it's driving me nuts..
> I hope no one will have the bright idea to want to use ip-soft phones.
> Well, thanks a lot for the input; Monday I'd be able to get more details.
>
> Really Appreciated
> Julian
>
>
> "ZVR" <nospamever@xxxxxx> wrote in message
> news:cOmdnZB8xcEe-_zeRVn-vQ@xxxxxxxxxxxxx
>>> I was thinking to create 2 separate DMZ's
>>> DMZ1 from PIX and DMZ2 the normal Back-To-Back to ISA2004
>>>
>>> In DMZ1 to place the VoIP and in DMZ2 my Exchange Servers.
>>
>> Are you planning to keep the Exchange servers on the DMZ2 itself or place
>> them behind ISA (on a ISA perimeter segment or even in the LAN). This is
>> one of the most debated topics but I personally prefer to keep Exchange
>> servers in the LAN, I think that it is the most secure setup that way.
>>
>>> DMZ1 (voip and the LAN clients to separate them using subnetting/VLANs)
>>> to take advantage of the existing infrastructure.
>>>
>>> Does it make any sense to you?
>>
>> VLAN does, but logically subnetting them on the same wire (if that's what
>> you meant) creates a potential nightmare for IP allocation, traffic
>> prioritization etc, plus depending on how many devices we are talking
>> about you can end up with collisions etc.
>>
>> I would personally go for a simpler setup as follows:
>>
>> PIX --- DMZ --VoIP --- ISA --- LAN + Exchange,
>>
>> meaning a single DMZ from PIX where the VoIP devices reside along with
>> the external interface of ISA, and your LAN behind ISA with Exchange
>> servers on the Internal segment as well.
>>
>> This is a tried and true topology that will pose you no problems and is
>> as secure as it can be, IMO.
>>
>> Virgil
>>
>>
>>
>>
>>
>>>
>>> "ZVR" <nospamever@xxxxxx> wrote in message
>>> news:cd-dnbec-bMlxfzenZ2dnUVZ_s2dnZ2d@xxxxxxxxxxxxx
>>>>I don't have hands-on experience with SIP / VoIP and ISA but I can tell
>>>>you that no native SIP filter exists as of yet for ISA, which basically
>>>>means that if you place your VoIP clients behind ISA you will have
>>>>problems with the dynamic port assignments. My first reaction would be
>>>>that this might be solved by configuring a (third-party) SIP proxy
>>>>located on the ISA Server machine, but it has to be sourced and
>>>>tested...
>>>>
>>>> Of course the obvious solution is to separate the voice network but
>>>> then you will lose some flexibility - there will be different jacks for
>>>> the Avaya devices to plug into etc.
>>>>
>>>> As for the PIX-DMZ-ISA setup, it should be fine provided PIX handles
>>>> SIP well. You know for sure that it does? (I am no expert with PIX).
>>>>
>>>> Virgil
>>>>
>>>>
>>>>
>>>> "Julian Dragut" <julianmd@xxxxxxxxxx> wrote in message
>>>> news:e2XV$S02FHA.2600@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> Hi everyone,
>>>>>
>>>>>
>>>>> I am just about to be involved in a new project, where the cat5 copper
>>>>> 10/100 network is going to have a "makeover" to accommodate the
>>>>> following
>>>>> changes.
>>>>>
>>>>> Cisco 2600 Router
>>>>> Pix 515
>>>>> Isa 2004
>>>>> Avaya IP Office
>>>>>
>>>>> I have no beef with CISCO and VoIP, but I know that ISA doesn't
>>>>> support SIP.
>>>>> The reason I want to use ISA is (if not evident) its nice integration
>>>>> with
>>>>> W2K3 AD where I want deploy clustered Xchange 2K3 Servers, filter apps
>>>>> and
>>>>> BANDWIDTH prioritization.
>>>>>
>>>>> Unfortunately we cannot test neither configs in our lab yet, so we
>>>>> have to
>>>>> rely on planning and planning and.....you the community :-).
>>>>> Does anyone have or had any experiences with a similar setup? Is it
>>>>> worth to
>>>>> create separate network for the voice infrastructure, or just upgrade
>>>>> to
>>>>> Gigabit and use the old network? Will a back-to-back PIX - DMZ-ISA
>>>>> work and
>>>>> protect my Avaya and my network (thinking that if the ISA will work
>>>>> with
>>>>> Avaya, a lot of non-standard tweaks must be made)?
>>>>> Any input would be highly appreciated!
>>>>>
>>>>> Regards,
>>>>>
>>>>> Julian Dragut
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
.
- References:
- Re: REPOST - Phillip Windell + ZVR Please take a look please! Any input ????
- From: Julian Dragut
- Re: REPOST - Phillip Windell + ZVR Please take a look please! Any input ????
- From: Julian Dragut
- Re: REPOST - Phillip Windell + ZVR Please take a look please! Any input ????
- Prev by Date: VPN CLIENT : WHICH CLIENT ? WHICH IP ?
- Next by Date: Re: message screener and badmail
- Previous by thread: Re: REPOST - Phillip Windell + ZVR Please take a look please! Any input ????
- Next by thread: VPN CLIENT : WHICH CLIENT ? WHICH IP ?
- Index(es):
Relevant Pages
|
