Re: Checkpoint Front End server - ISA Back End server - OWA Setup
- From: "Ray" <n/a>
- Date: Thu, 15 Mar 2007 09:22:53 -0400
Volki has it correct, depending on a few things.
What version of FW-1? If it's a reasonably current version, at a minimum NG
with Application Intelligence (R54 or R55) and preferably in the NGX series
(R60 or later), it's OK. If FW-1 is an earlier version, it is a bigger risk
by itself. Anything prior to R54 goes end of life in June 2007 or is already
expired. http://www.checkpoint.com/services/lifecycle/support_periods.html
What version of ISA? If it's ISA 2004 or 2006, you're OK. If it's ISA 2000,
you need to upgrade.
I run the same configuration as your #1. ISA 2004 & 2006 are fully aware of
what proper OWA traffic looks like and, unlike FW-1, can provide SSL
termination. Without SSL termination, FW-1 is blind to the HTTPS traffic
coming in from the Internet. You are using HTTPS for OWA, aren't you?
If your figure 2 is done correctly, yes, it can work. But FW-1 is inspecting
the traffic between ISA's internal interface and the Exchange server. The
only way FW-1 can inspect it is if you pass the traffic from ISA to the
Exchange server in plain HTTP format, not HTTPS. That's a bigger risk to me.
Check Point now has SSL termination in their R65 release, but since it's
scheduled to start shipping today, I am confident you do not have it. :-)
We've found that Check Point and ISA together are a very powerful
combination. They each have their strengths and weaknesses and complement
each other nicely.
Ray
Check Point Certified Security Expert
"ICTUser" <ictuser2002@xxxxxxxxxxxxxxxxx> wrote in message
news:no6dnU592ZYmu2TYRVnytAA@xxxxxxxxxxxxxxx
We currently use checkpoint firewall as our front end firewall. We are
looking to use owa with an ISA Server used as a back end firewall. My
understanding from articles I have read is to setup the following.
Client/Internet
|
|
Checkpoint Firewall - - - - - -DMZ
| |
| |
| External
interface
Internal Lan ISA Server
\ Interal
interface
\ |
\ |
- - - - - - -- Exchange server
I am not a firewall expert, but our firewall guy tells me this is a risk,
as we dont want the Isa Server internal interface bypassing the checkpoint
firewall. He is suggesting the following.
Client/Internet
|
|
Checkpoint Firewall - - - - - -DMZ
| | |
| - - - - - | |
| | External
interface
Internal Lan | ISA Server
| | Internal
interface
Exchange server - - - - - - |
To clarify the request comes through the firewall then to the external
interface on the ISA server in the dmz and then through the internal
interface back through the checkpoint firewall and forwarded onto the
exchange server. Is this way overcomplicated and would it even work?
Thanks in advance
Ictuser
.
- References:
- Prev by Date: RE: Checkpoint Front End server - ISA Back End server - OWA Setup
- Next by Date: OWA SSL Certificate Date does not Match ISA Certificate Date
- Previous by thread: RE: Checkpoint Front End server - ISA Back End server - OWA Setup
- Next by thread: Re: Checkpoint Front End server - ISA Back End server - OWA Setup
- Index(es):
Relevant Pages
|
