Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


ISA Server, Exchange, DMZ-Intranet

Posted on 2002-03-25
Medium Priority
Last Modified: 2013-11-16
I have a ISA Configuration looking like this:
Internet - ISA1 - DMZ - ISA2 - Intranet

The DMZ and Intranet are using 192.168.x.xxx addresses.

On the intranet is a Exchange Server 2000 with the "integrated" IIS  web
mail functionality.

I want to read the web mail from internet and therfore trying to publish
the exchange webserver via ISA2 and publish the ISA2 via ISA1. Since
exchange web mail relies on hostname I need to push the hostname all the
way through both ISA servers.

However, doing this I get the following error message when i browse this
page from the internet:
403 Forbidden - The server denies the specified Uniform Resource Locator
(URL). Contact the server administrator. (12202)
Internet Security and Acceleration Server

Any tips or ideas?
Question by:campell
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 14

Accepted Solution

chris_calabrese earned 400 total points
ID: 6897349
Yes, don't do this!  Instead go with a full VPN setup and let your users access the actual internal mail server, among other things.

Yes, this is more work.  But it's also more powerful and likely more secure.

Assisted Solution

anzen earned 400 total points
ID: 6954271

You're breaking a lot of security rules, don't do it, the only safe way I see is moving the exchange server to the DMZ where it could be published using the "outer" ISA; the intranet users will then access it through the "inner" ISA server; this way if someone breaks into your mail server he won't be able to compromise your intranet


Expert Comment

ID: 6954277

Another note: it would be better to have the DMZ on a completely different subnet; i.e. if the intranet is using a 192.168.x.y subnet you could use a 10.x.y.z for the DMZ, this way if someone "penetrates" the DMZ he won't have a glue about the internal network addressing scheme


Expert Comment

ID: 9709111
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts split between chris_calabrese and anzen.
Please leave any comments here within the next seven days.


EE Page Editor

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question