ISA- ISA blues...

Posted on 2003-03-24
Medium Priority
Last Modified: 2013-11-16
Hi all,

I have a few spare points so I thought I would through some good points out for the answer.

I have two ISA boxes running back to back.
My problem is that I have an exchange server on my internal network which I would like to host pop3 or perhaps even Outlook web access.

My external ISA box is a stand alone ISA server doesnt really have alot on it. Mainly just for the purpose of screening before the internal network.

I feel like forwarding from the external ISA to the internal ISA box to the published exchange server would work fine. However this would appear that the external users would then be directly connected to the internal exchange server. Is my thinking correct here ?

Is there some way to have some form of authentication on the external ISA box which forwards to the internal ISA box to the exchange server. I feel like forwarding is a little insecure and there has to be a better way.

Perhaps even the use of SSL - SSL would be my preferred method, is it poosible ? and how ?

Question by:huckey
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2

Accepted Solution

JJ2 earned 600 total points
ID: 8200988
"Server publishing allows virtually any computer on your internal network to publish to the Internet. Security is not compromised because all incoming requests and outgoing responses pass through ISA Server. When a server is published by an ISA Server computer, the Internet Protocol (IP) addresses that are published are actually the IP addresses of the ISA Server computer. Users who request objects think that they are communicating with the ISA server—whose name or IP address they specify when requesting the object—while they are actually requesting the information from the actual publishing server."
Securing Exchange Communications:


Author Comment

ID: 8207130
ok JJ these are all pretty interesting reading however all of them address either single firewall except for one which is great however it only shows the use of OWA.

What I would also like is pop3 through both firewalls with some form of authentication. worst case scenario is perhaps i will run with the OWA scenario.

Do you have any other ideas ?if not i will try the OWA option.

Expert Comment

ID: 8210741
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Assisted Solution

ccwork earned 450 total points
ID: 8224943
    Let me clarify what you want. You have an ISA firewall protecting your whole network and you get an internal network protected by another ISA firewall. However, you get an Exchange server in your internal network and you want public access.
    My comments:
1)  The design is wrong. An internal network should be internal :) This means that no public access to the internal network. Rather you should put the Exchange server in the DMZ and allow public access. ie.
    [external ISA] (public access to servers in DMZ)
       [DMZ] Exchange server
    [internal ISA] (blocks all incoming access)
   [internal network]
2) ISA adopts technology of packet filter that unlike Checkpoint FW1, it does not provide user authentication.

Expert Comment

ID: 8230466
During the Mail Services Selection when you ran Mail Server Security Wizard, If you checked the Default Authentication Box for "Incoming Microsoft Exchange/Outlook", this poses a security risk because it opens up the NetBIOS and Remote Procedure Call (RPC).
So its better to use Outlook Web Access(OWA).

Author Comment

ID: 8232311
ccwork. i understand where your coming from here but then how to I allow internal access to the external DMZ exchange server.

my issue here is roaming users that politically require access from external. I know its a security risk to allow it but thats what they want.

JJ2 I will look into the OWA method as it seems like the most secure option left. I doing this today so I will keep you informed thanks for your help everyone so far..

Assisted Solution

MSGeek earned 450 total points
ID: 8424648
ccwork.. "ISA adopts technology of packet filter that unlike Checkpoint FW1, it does not provide user authentication"

I am not sure I agree with this statement, ISA allows for integrated authentication with the enhancement pack installed.

huckey.. I agree with JJ2 on his OWA recomendation.  OWA is getting a lot better, it is even better in the 2003 beta I have seen.  They will harly notic they are using browser based e-mail.. that is until they let their connection time out  :)
LVL 79

Expert Comment

ID: 8636837
No comment has been added lately (35 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: split points between 1102365, 616103, 918324

Please leave any comments here within 7 days.



EE Cleanup Volunteer
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. http://www.experts-exchange.com/Community_Support/

Expert Comment

ID: 8651673
lrmoore..  what does "split points between 1102365, 616103, 918324
" mean?
LVL 79

Expert Comment

ID: 8651793
Sorry, this is a new designation for comment numbers that the mods can use, I think
I used QuickPost and the template to recommend split between yourself, jj2, and ccwork and this is how it came out...
It should have said:

RECOMMENDATION: split points between ccwork and JJ2 and MSGeek


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question