[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1082
  • Last Modified:

ISA server in Sonicwall DMZ help for OWA help

Hi there,

I've got a SonicWall Pro 2040 Enh. OS and here's what I'm trying to do -
I have a single Exchange 2007 server on the LAN.  I want to connect a server to the DMZ port of my Sonicwall and mainly use it as an ISA reverse proxy for OWA access to the Exchange server.  There are a few things I haven't dealt with before so I have some general questions -

1. Do I need two NICs in my server in the DMZ for ISA?
2. The server has to get a public IP right?  If I have 8 public IPs with my ADSL connection at the moment can I divide this into two subnets and use one of these?  Any way of avoiding this and just "allocating" one of the IPs from the WAN interface of the Sonicwall to save getting more IPs?
3. If I have this server with ISA on it doing reverse proxy for OWA to protect the Exchange server, does it make sense for the Sonicwall to forward incoming SMTP traffic to this ISA box and have it forward that onto the internal Exchange server?

That's it really.  Besides knowing what a DMZ is and does I have no practical knowledge of it, and the same goes for ISA, so I'd appreciate reasonably detailed answers if possible.


Thanks!
0
Zenith63
Asked:
Zenith63
  • 3
  • 2
1 Solution
 
mikecrCommented:
Do you already have ISA Server? That's an awful lot of expense just to put in a reverse proxy for OWA. You're going to have some problems with it anyhow because you're going to need to install certificates on the ISA server so that you can do HTTPS reverse proxy back to the Exchange server. This becomes problematic. I'm not trying to talk you out of it but from the sounds of it your a novice at this and it will get way over your head quickly. Are you familiar with ISA server at all?
0
 
Zenith63Author Commented:
There are reasons I have to isolate the LAN with a solution like this, and from reading about this seems to be the way to go but I'm open to suggestions.
I have never so much as looked at ISA, but I have a very in-depth knowledge of most other MS products out there and with firewalls in general so I'm confident I'll figure it out.  I'm happy to learn, so I'm not too concerned if I have to spend a few days getting it right.

As I say I'm open to suggestions, but if you can give me some overall ideas of what I'm looking for I'll figure the rest out...==
0
 
mikecrCommented:
First off, you need to get a certificate for your OWA server and proxy server to make this easier so that you can do HTTPS. Do you have OWA configured already? I'm not familiar enough with Exchange 2007 yet but I worked with ISA server quite a bit. Below are the instructions to configure Outlook Web Access publishing on ISA 2004.

http://www.microsoft.com/technet/isa/2004/plan/single_adapter.mspx
0
 
Zenith63Author Commented:
Thanks for that link, that looks like it is what I'm after!

Any ideas on the three questions I asked above?
0
 
mikecrCommented:
Question 1: No, you don't need two network cards if your using ISA for proxy only. Just use the one network card template that comes with ISA Server to configure it.
Question 2: No, you don't need to give your machine a public address. For even more protection, I'm a proponent of doing port based NAT. If you use NAT, you only have to NAT ports 80 and 443 to the machine allowing for a higher level of protection compared to giving it it's own IP address and creating a rule to allow access.
Question 3: Review this article to see if this is what you would like to do. I'm also a proponent of SMTP Relay.
http://www.isaserver.org/articles/smtprelayinboundoutbound.html
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now