Re: ISA and Exchange 2007

"ISA is just another level of security" - I don't think I've ever heard it
stated quite like that...
...kinda like saying "clothes are just another level of embarrassment
protection for other folks"... <g>

ISA offers security that Exchange and "port-filter" firewall alone can't:
- pre-authentication (absorbs auth attacks so your Exch servers don't have
to)
- HTTP-level validation (blocks HTTP-based attacks so your Exch servers
don't have to)
- SMTP-level validation (blocks invalid SMTP commands so Exchange server
don't have to)
- RPC-level validation for MAPI publishing (validates RPC-level traffic so
your Exchange servers don't have to)

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Mark" <Mark@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7380123C-0CDF-40A9-920B-90067EE4070F@xxxxxxxxxxxxxxxx
I have been doing Exchange work for about 8 years now and during that time I
have never felt the need to incorporate an ISA server into an environment.
And here is my take on why I have not. ISA is just another level of
security. The reason I say this is that if you setup OWA correctly and use
SSL you are already connecting back to the organization using a secure
method. I'm a believer in keeping it simple therefore I have always seen
ISA
as adding another level of complexity. Therefore my typical recommendation
is to keep your FE and BE server internal to the network. Setup the
firewall
to allow ports 25 and 443 only to the front end servers. Setup SSL on the
FE
servers. Now if you are a company or goverment agency that performs
extremely sensitive work then I can agree with incorporting an ISA but if
you
are an ordinary company that doesn't deal with sensitive information when
what would be compelling reason to incorporate ISA? I've never used ISA so
that is why I'm here to get other people's take on this. It is my
understanding that you can do load balancing with an ISA server. However,
you can also setup Network Load Balancing to do this as well which I have
done in the past. I'd be happy to hear everyone's opion on this. Perhaps I
can be persuaded to use/recommend ISA or just reaffirm my current belief.
Thanks,
Mark

.

Relevant Pages

  • Re: Forest/Domain in the "DMZ" to accomodate web, front-end servers
    ... Now as for ISA 2004 being a seamless application layer inpspection security ... out of it too, but I have 500 servers, and 3000 desktops to worry about. ...
    (microsoft.public.security)
  • Re: Forms based authentication exchange 2003 breaks login?
    ... then entourage keeps giving login errors: ... username/password or security settings may be incorrect. ... changes to server setup when all seems to be ok for windows users! ... It all depends on if your organization is also running ISA. ...
    (microsoft.public.mac.office.entourage)
  • Re: 70-291 test - unfair
    ... and looked through the objectives to see if I had sat the correct exam! ... If I knew that ISA servers ...
    (microsoft.public.cert.exam.mcsa)
  • Re: Security Auditing
    ... > My team is responsible for monitoring security event logs on all ISA ... servers. ...
    (microsoft.public.isa)
  • Re: POP3 E-mail Issue After Swing Migration
    ... only be using POP3 and SMTP servers under corporate control. ... changing it in the ISA Server Management Console, Server, Configuration, ... how in the heck do I fix this?! ...
    (microsoft.public.windows.server.sbs)