Solved

ISA Server, Exchange, DMZ-Intranet

Posted on 2002-03-25
4
7,123 Views
Last Modified: 2013-11-16
I have a ISA Configuration looking like this:
Internet - ISA1 - DMZ - ISA2 - Intranet

The DMZ and Intranet are using 192.168.x.xxx addresses.

On the intranet is a Exchange Server 2000 with the "integrated" IIS  web
mail functionality.

I want to read the web mail from internet and therfore trying to publish
the exchange webserver via ISA2 and publish the ISA2 via ISA1. Since
exchange web mail relies on hostname I need to push the hostname all the
way through both ISA servers.

However, doing this I get the following error message when i browse this
page from the internet:
403 Forbidden - The server denies the specified Uniform Resource Locator
(URL). Contact the server administrator. (12202)
Internet Security and Acceleration Server

Any tips or ideas?
0
Comment
Question by:campell
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 100 total points
ID: 6897349
Yes, don't do this!  Instead go with a full VPN setup and let your users access the actual internal mail server, among other things.

Yes, this is more work.  But it's also more powerful and likely more secure.
0
 
LVL 4

Assisted Solution

by:anzen
anzen earned 100 total points
ID: 6954271

You're breaking a lot of security rules, don't do it, the only safe way I see is moving the exchange server to the DMZ where it could be published using the "outer" ISA; the intranet users will then access it through the "inner" ISA server; this way if someone breaks into your mail server he won't be able to compromise your intranet


0
 
LVL 4

Expert Comment

by:anzen
ID: 6954277

Another note: it would be better to have the DMZ on a completely different subnet; i.e. if the intranet is using a 192.168.x.y subnet you could use a 10.x.y.z for the DMZ, this way if someone "penetrates" the DMZ he won't have a glue about the internal network addressing scheme

0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9709111
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts split between chris_calabrese and anzen.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question