DC+EXCHANGE in LAN, ISA on DMZ

Hi All,

reading your answer in my previous post i decided to plan things like
this:

- SERVER A: Windows Server 2008 + Exchange 2007 in LAN Network
(private IPs), Domain Controller
- SERVER B: Windows Server 2008 + ISA Server 2006 in DMZ Network
(public IP)

Now my questions are:

- As the ISA server is separated from LAN, should it be a domain
member or not? Should i let him in a worgroup? If i configure it as a
domain member BEFORE publishing it with a public IP in DMZ, what will
happen then? Should i enable certain rules at the firewall level?

- Outlook 2007 clients in LAN network should point to SERVER A, while
external clients should point to isa server ? What if a roaming client
(a notebook with Outlook 2007) connects sometime from LAN network and
sometime from external network?

I googled a little but can't find a good howto: can you point me a
guide about best practices to publish an ISA server in DMZ network
under a Domain network (not a workgroup) ?

Thank you i.a.

Marco

Ed
Tue Aug 19 11:16:14 CDT 2008

Answers inline below.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
.

"M. Simioni" <m.simioni@gmail.com> wrote in message
news:ec968bfa-7e43-4886-8bb7-c5b1ccfcd3f6@m3g2000hsc.googlegroups.com...
> Hi All,
>
> reading your answer in my previous post i decided to plan things like
> this:
>
> - SERVER A: Windows Server 2008 + Exchange 2007 in LAN Network
> (private IPs), Domain Controller
> - SERVER B: Windows Server 2008 + ISA Server 2006 in DMZ Network
> (public IP)
>
> Now my questions are:
>
> - As the ISA server is separated from LAN, should it be a domain
> member or not?

Not. Opening your DMZ to access the domain is an enormous security hole and
defeats a lot of the reason for using ISA.

> Should i let him in a worgroup?

A workgroup is just a designation for servers not in a domain. If it's not
a domain member, then it's a workgroup member. There's no security effect
to a workgroup, so it really doesn't matter if you put it in the same or a
different workgroup than other servers.

> If i configure it as a
> domain member BEFORE publishing it with a public IP in DMZ, what will
> happen then?

Don't make it a domain member.

> Should i enable certain rules at the firewall level?

You might ask an ISA newsgroup about that, but my experience with ISA is
that it takes care of all that.

> - Outlook 2007 clients in LAN network should point to SERVER A, while
> external clients should point to isa server ?

Yes. External clients shouldn't be able to see SERVER A at all.

> What if a roaming client
> (a notebook with Outlook 2007) connects sometime from LAN network and
> sometime from external network?

That can be a problem is your namespaces outside and inside are different,
one of the reasons I like a split-brain DNS. If you configure Outlook
clients to use Outlook Anywhere then they'll figure out how to connect
externally and internally automatically.

> I googled a little but can't find a good howto: can you point me a
> guide about best practices to publish an ISA server in DMZ network
> under a Domain network (not a workgroup) ?

Best practice is to not do that.

> Thank you i.a.
>
> Marco

Mike
Wed Oct 01 22:27:41 CDT 2008

Another poster gave you very solid answers. I will reiterate what was
said though and then add some thoughts.

Exchange should NOT be exposed to the internet directly - there should
be a firewall between it and the cloud. I would also suggest
anti-spam/virus between the cloud and the exchange server. I know many
handle that on the Exchange server itself but that seems a little silly
to let that stuff inside the firewall in the first place, filter it out
outside of the firewall. I do that using a standard server with SMTP
and GFI products working in SMTP gateway mode.

ISA Server is a fairly complex being and as such, it can be configured
in many different ways with plusses and minuses for each. If you are
good at figuring things out you can get a good book on ISA and sort
through the options but if you need something fairly quick that works
well without exposing your network I would suggest you find someone and
outsource the ISA design and configuration.

ISA discussions should also be handled in the ISA newsgroups.

MDP




M. Simioni wrote:
> Hi All,
>
> reading your answer in my previous post i decided to plan things like
> this:
>
> - SERVER A: Windows Server 2008 + Exchange 2007 in LAN Network
> (private IPs), Domain Controller
> - SERVER B: Windows Server 2008 + ISA Server 2006 in DMZ Network
> (public IP)
>
> Now my questions are:
>
> - As the ISA server is separated from LAN, should it be a domain
> member or not? Should i let him in a worgroup? If i configure it as a
> domain member BEFORE publishing it with a public IP in DMZ, what will
> happen then? Should i enable certain rules at the firewall level?
>
> - Outlook 2007 clients in LAN network should point to SERVER A, while
> external clients should point to isa server ? What if a roaming client
> (a notebook with Outlook 2007) connects sometime from LAN network and
> sometime from external network?
>
> I googled a little but can't find a good howto: can you point me a
> guide about best practices to publish an ISA server in DMZ network
> under a Domain network (not a workgroup) ?
>
> Thank you i.a.
>
> Marco

Ed
Fri Oct 03 23:54:57 CDT 2008

ISA is certainly configurable as a firewall but its more effective use for
Exchange is as a web publishing appliance, which it does very well. Even if
you don't use it as a firewall and use something else, it's quite useful for
this purpose. Still, some other web publishing appliance can do the same
job effectively, although it may not be as customized for Exchange as ISA
can be.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
.

"Mike" <fyta4_@_hotmail.com> wrote in message
news:%23p2mU7DJJHA.468@TK2MSFTNGP06.phx.gbl...
> Another poster gave you very solid answers. I will reiterate what was
> said though and then add some thoughts.
>
> Exchange should NOT be exposed to the internet directly - there should be
> a firewall between it and the cloud. I would also suggest anti-spam/virus
> between the cloud and the exchange server. I know many handle that on the
> Exchange server itself but that seems a little silly to let that stuff
> inside the firewall in the first place, filter it out outside of the
> firewall. I do that using a standard server with SMTP and GFI products
> working in SMTP gateway mode.
>
> ISA Server is a fairly complex being and as such, it can be configured in
> many different ways with plusses and minuses for each. If you are good at
> figuring things out you can get a good book on ISA and sort through the
> options but if you need something fairly quick that works well without
> exposing your network I would suggest you find someone and outsource the
> ISA design and configuration.
>
> ISA discussions should also be handled in the ISA newsgroups.
>
> MDP
>
>
>
>
> M. Simioni wrote:
>> Hi All,
>>
>> reading your answer in my previous post i decided to plan things like
>> this:
>>
>> - SERVER A: Windows Server 2008 + Exchange 2007 in LAN Network
>> (private IPs), Domain Controller
>> - SERVER B: Windows Server 2008 + ISA Server 2006 in DMZ Network
>> (public IP)
>>
>> Now my questions are:
>>
>> - As the ISA server is separated from LAN, should it be a domain
>> member or not? Should i let him in a worgroup? If i configure it as a
>> domain member BEFORE publishing it with a public IP in DMZ, what will
>> happen then? Should i enable certain rules at the firewall level?
>>
>> - Outlook 2007 clients in LAN network should point to SERVER A, while
>> external clients should point to isa server ? What if a roaming client
>> (a notebook with Outlook 2007) connects sometime from LAN network and
>> sometime from external network?
>>
>> I googled a little but can't find a good howto: can you point me a
>> guide about best practices to publish an ISA server in DMZ network
>> under a Domain network (not a workgroup) ?
>>
>> Thank you i.a.
>>
>> Marco