Test web server on ISA 2004

I am re-designing a small network (30 users), mostly the Internet facing portion. This will probably involve an ISA 2004 server for outbound proxy and handling remote access to a new Exchange server on the internal network.  The ISA server would be dual-nic, with external nic sitting on the DMZ behind a firewall and the other nic internal.

Part of the test if\sproviding a test of users downloading some files re-directed from their hosting vendor.  User is on www site, clicks to download (HTTP) a file, then is redirected to network in question.

My question is: Can I let this download come from the ISA server or do I need a separate  server on the DMZ for security?  If the concept proves valid, I would need a separate server for performance, but was not sure it was technically or security necessary.  

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
You 'can' do it from ISA by publishing the web service in the ISA's internal NIC IP but it is highly "not" recommended.

technically it should be on a seperate box as ISA should be controlling the security, the flow of traffic and redirection of requests. The ISA server is known s the 'local host' when you set it up and behaves differently to any other machine that it protects. Things that may work in this fashion are not assured to work for any clients.

From a security point also you should not host ANY service on the ISA server itself. The one exception to this rule is when you are running Microsoft's Small Business Server (SBS). SBS runs a cut down version of ISA that is designed to sit on the SBS Domain Controller.

In short, put it on any box (perimeter or internal) but not on the ISA.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
banjo1960Author Commented:
Thanks for the clear response. I was fairly certain that was the case from other articles, but you cleared it up nicely.

Keith AlabasterEnterprise ArchitectCommented:
Your welcome :)
Keith AlabasterEnterprise ArchitectCommented:
Thank you :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.