Newby ISA question 1

[monsterjta]

I'm doing some research on security, more specifically ISA for securing Exchange (owa,oma,etc).

I host multiple email domains, all Exchange 2003 servers. Can ISA know to forward email destined for DomainA to FEExchangeServerA, and email destined for DomainB to FEExchangeServerB, and so on??? Will I need to create a DMZ for each Exchange Server?

Any advice or resources directly related to this would be much appreciated.

Thanks!

 

[NickFerrar]

On the ISA box you'd need separate listeners for each domain and the publishing rules reference the back-end Exchange server names so you'd have a different policy for each domain. You wouldn't need separate DMZs (you don't need DMZs anyway).

The way we provide OWA is a checkpoint firewall on the perimeter that allows HTTPS traffic to the ISA server. ISA server is located on our internal network (NAT'd on the firewall), the ISA server publishes OWA via our front-end Exchange server which in turn conects to the back-end Exchange servers (the front-end is on the same subnet as the ISA server and the back-end are on internal networks but different subnets as in different offices).

As per Microsoft's advice, forget about sticking Exchange servers on a DMZ as it's no more secure as you need to open so many ports to allow AD functionality etc. you may as well not have a DMZ. Just trust ISA to secure the Exchange environment and is necessary a different firewall in front of ISA for a bit more protection.

In terms of setting it all up, it took me a fair bit of trail and error but I found some decent articles on MS Technet as well as at

http://www.isaserver.org

and

http://www.msexchange.org

 

[NickFerrar]

Hmm I should probably spell-check before hitting submit

 

[monsterjta]

Thanks. Yeah, I've been reading a lot of articles by Tom Shinder at isaserver.org. I'm fairly new to the ISA server, as I guess I've been stuck on hardware solutions for quite some time. But, my Cisco gear doesn't do application layer inspection. Hense, the need to ISA to secure (mostly) Exchange. I will need to keep the Cisco gear, though, as ISA doesn't support the VOIP functionality I currently have in place.

Anyway, Tom Shinder vehemently supports the use of DMZ. Not just a DMZ, but as many DMZ's as necessary. He gave me a new perspective on DMZ's. Viewing them as security zones of varying degrees (anonymous vs authenticated), rather than simply an open area hanging off a firewall. I do like his concepts, as there is logic and validity there.

Anyway, I don't want to go off on a tangent.

This may be a little off topic, but can a single Front End Exchange Server forward mail to multiple BE Servers on different domains? I'm thinking not, but I haven't found anything on the subject.

 

[ITPangaeaArchitect]

I wouldn't think so since you have to go through the exchange install and detail org names, etc....if i remember right...

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Sr. Infrastructure Management Analyst
Distributed Systems Engineering
ACS, Inc.

 

[NickFerrar]

Looks like Exchange 2007 allows for a better DMZ with the 'Edge Transport' role (SMTP gateway that's not a domain member).

Not sure on the single front-end to different org back-ends, doubtful as ADgod says. Not sure if you've looked into MS's Hosted Exchange stuff, they have a lot of tools bundled up for ease of supporting/provisioning multiple email domain environments etc.