Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 733
  • Last Modified:

ISA- ISA blues...

Hi all,

I have a few spare points so I thought I would through some good points out for the answer.

I have two ISA boxes running back to back.
My problem is that I have an exchange server on my internal network which I would like to host pop3 or perhaps even Outlook web access.

My external ISA box is a stand alone ISA server doesnt really have alot on it. Mainly just for the purpose of screening before the internal network.

I feel like forwarding from the external ISA to the internal ISA box to the published exchange server would work fine. However this would appear that the external users would then be directly connected to the internal exchange server. Is my thinking correct here ?

Is there some way to have some form of authentication on the external ISA box which forwards to the internal ISA box to the exchange server. I feel like forwarding is a little insecure and there has to be a better way.

Perhaps even the use of SSL - SSL would be my preferred method, is it poosible ? and how ?

0
huckey
Asked:
huckey
  • 3
  • 2
  • 2
  • +2
3 Solutions
 
JJ2Commented:
"Server publishing allows virtually any computer on your internal network to publish to the Internet. Security is not compromised because all incoming requests and outgoing responses pass through ISA Server. When a server is published by an ISA Server computer, the Internet Protocol (IP) addresses that are published are actually the IP addresses of the ISA Server computer. Users who request objects think that they are communicating with the ISA server—whose name or IP address they specify when requesting the object—while they are actually requesting the information from the actual publishing server."
source:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/m_p_c_pnatrule.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/deploy/isaexch.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/CMT_H_RedirectWebSSL.asp
Securing Exchange Communications:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/mailexch/opsguide/e2ksec04.asp

0
 
huckeyAuthor Commented:
ok JJ these are all pretty interesting reading however all of them address either single firewall except for one which is great however it only shows the use of OWA.

What I would also like is pop3 through both firewalls with some form of authentication. worst case scenario is perhaps i will run with the OWA scenario.

Do you have any other ideas ?if not i will try the OWA option.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
ccworkCommented:
Hi,
    Let me clarify what you want. You have an ISA firewall protecting your whole network and you get an internal network protected by another ISA firewall. However, you get an Exchange server in your internal network and you want public access.
    My comments:
1)  The design is wrong. An internal network should be internal :) This means that no public access to the internal network. Rather you should put the Exchange server in the DMZ and allow public access. ie.
    [internet]
         |
    [external ISA] (public access to servers in DMZ)
         |
       [DMZ] Exchange server
         |
    [internal ISA] (blocks all incoming access)
         |
   [internal network]
2) ISA adopts technology of packet filter that unlike Checkpoint FW1, it does not provide user authentication.
0
 
JJ2Commented:
During the Mail Services Selection when you ran Mail Server Security Wizard, If you checked the Default Authentication Box for "Incoming Microsoft Exchange/Outlook", this poses a security risk because it opens up the NetBIOS and Remote Procedure Call (RPC).
So its better to use Outlook Web Access(OWA).
0
 
huckeyAuthor Commented:
ccwork. i understand where your coming from here but then how to I allow internal access to the external DMZ exchange server.

my issue here is roaming users that politically require access from external. I know its a security risk to allow it but thats what they want.

JJ2 I will look into the OWA method as it seems like the most secure option left. I doing this today so I will keep you informed thanks for your help everyone so far..
0
 
MSGeekCommented:
ccwork.. "ISA adopts technology of packet filter that unlike Checkpoint FW1, it does not provide user authentication"

I am not sure I agree with this statement, ISA allows for integrated authentication with the enhancement pack installed.

huckey.. I agree with JJ2 on his OWA recomendation.  OWA is getting a lot better, it is even better in the 2003 beta I have seen.  They will harly notic they are using browser based e-mail.. that is until they let their connection time out  :)
0
 
lrmooreCommented:
huckey,
No comment has been added lately (35 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: split points between 1102365, 616103, 918324

Please leave any comments here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. http://www.experts-exchange.com/Community_Support/
0
 
MSGeekCommented:
lrmoore..  what does "split points between 1102365, 616103, 918324
" mean?
0
 
lrmooreCommented:
Sorry, this is a new designation for comment numbers that the mods can use, I think
I used QuickPost and the template to recommend split between yourself, jj2, and ccwork and this is how it came out...
It should have said:

RECOMMENDATION: split points between ccwork and JJ2 and MSGeek

0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now