?
Solved

ISA Server, Exchange, DMZ-Intranet

Posted on 2002-03-25
4
Medium Priority
?
7,128 Views
Last Modified: 2013-11-16
I have a ISA Configuration looking like this:
Internet - ISA1 - DMZ - ISA2 - Intranet

The DMZ and Intranet are using 192.168.x.xxx addresses.

On the intranet is a Exchange Server 2000 with the "integrated" IIS  web
mail functionality.

I want to read the web mail from internet and therfore trying to publish
the exchange webserver via ISA2 and publish the ISA2 via ISA1. Since
exchange web mail relies on hostname I need to push the hostname all the
way through both ISA servers.

However, doing this I get the following error message when i browse this
page from the internet:
403 Forbidden - The server denies the specified Uniform Resource Locator
(URL). Contact the server administrator. (12202)
Internet Security and Acceleration Server

Any tips or ideas?
0
Comment
Question by:campell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 400 total points
ID: 6897349
Yes, don't do this!  Instead go with a full VPN setup and let your users access the actual internal mail server, among other things.

Yes, this is more work.  But it's also more powerful and likely more secure.
0
 
LVL 4

Assisted Solution

by:anzen
anzen earned 400 total points
ID: 6954271

You're breaking a lot of security rules, don't do it, the only safe way I see is moving the exchange server to the DMZ where it could be published using the "outer" ISA; the intranet users will then access it through the "inner" ISA server; this way if someone breaks into your mail server he won't be able to compromise your intranet


0
 
LVL 4

Expert Comment

by:anzen
ID: 6954277

Another note: it would be better to have the DMZ on a completely different subnet; i.e. if the intranet is using a 192.168.x.y subnet you could use a 10.x.y.z for the DMZ, this way if someone "penetrates" the DMZ he won't have a glue about the internal network addressing scheme

0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9709111
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts split between chris_calabrese and anzen.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look at what happened in the Verizon cloud breach.
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month10 days, 12 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question