Using F5 rather than ISA server.
We are moving OWA behind an F5. I was wondering if anyone has done this using F5 to Exchange CAS servers (Exchange 2007 load-balanced) without an ISA server (2006) in between?
Our certificates sit on the Exchange NLB servers and our current ISA Server 2006 points to these CAS servers. I thought I read someplace that with the newer version of IIS that the access control list could be done on the F5 and not need an ISA server at all. I know nothing of F5 so don't have any configuration insight. Am hoping someone here might have some suggestions on how to make this happen.
Would also like to hear of any concerns, suggestions, regarding moving OWA behind F5.
Our certificates sit on the Exchange NLB servers and our current ISA Server 2006 points to these CAS servers. I thought I read someplace that with the newer version of IIS that the access control list could be done on the F5 and not need an ISA server at all. I know nothing of F5 so don't have any configuration insight. Am hoping someone here might have some suggestions on how to make this happen.
Would also like to hear of any concerns, suggestions, regarding moving OWA behind F5.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
F5 offers specific fw & proxy features for OWA via its ASM module. What specifically is ISA doing to secure OWA other than the SSL bridging? Are their app firewall features specific to OWA being handled by ISA?
No offence but might be worth reading the blurb on the products first to see the differences as they are significant and muerous.
Although ISA is now end of line - and has been replaced by TMG - it is still far and away the best product on the market for what it provides.
As you state yourself, F5 offers 'specific' fw/proxy capability - as do most other systems that have bolted these on as an afterthought to meet market requirements.
ISA/TMG was built from the ground up as an EAL4+ firewall, a full proxy service and as an application gateway. With the addtion of the ISP-R TMG features for failover or load-balancing you don't get much better. TMG is cheaper as well.
Yes, TMG can take on the role of the Exchange Edge server, it can handle all of the antispam functionality that Exchange would handle natively, TMG presents the OWA logon script/change password scripts etc that OWA would normally front out and links it with SSO capabilities.
Where F5 far exceeds ISA or TMG is if you want the load-balancing performing outside of the environment i.e. before it has even hit the user site.
Although ISA is now end of line - and has been replaced by TMG - it is still far and away the best product on the market for what it provides.
As you state yourself, F5 offers 'specific' fw/proxy capability - as do most other systems that have bolted these on as an afterthought to meet market requirements.
ISA/TMG was built from the ground up as an EAL4+ firewall, a full proxy service and as an application gateway. With the addtion of the ISP-R TMG features for failover or load-balancing you don't get much better. TMG is cheaper as well.
Yes, TMG can take on the role of the Exchange Edge server, it can handle all of the antispam functionality that Exchange would handle natively, TMG presents the OWA logon script/change password scripts etc that OWA would normally front out and links it with SSO capabilities.
Where F5 far exceeds ISA or TMG is if you want the load-balancing performing outside of the environment i.e. before it has even hit the user site.
thx for the quick reply. Can you direct me to anything specific as to the OWA specific Security controls in TMG? Thus far i have been only able to find some docs addressing HTTP Request Smuggling and Content Protection? I am not looking to compare ISA (TMG) vs F5 across the board I am really focused on understanding what they provide for protecting OWA from AppFW perspective. Are there any OWA specific signatures avilable in TMG..?
Really needs to be your own question rather than piggy-backing on someone else's question. However, a quick win would be reviewing TechNet and search for publishing OWA via TMG - the walkthrough guide covers the permutations and I don't have to break the site rules here.