Re: PIX DMZ and ISA server

From: Scott Lowe (
Date: 01/17/05

Date: Mon, 17 Jan 2005 15:34:42 -0500

On 2005-01-08 22:55:24 -0500, <> said:

> What is the best location for the ISA external interface?
> Currently we have the external interface of the ISA server in a dmz behind a
> pix firewall. The internal interface is on the internal lan. Is this the
> best architexure or is their a better way of doing it?

If installing ISA in integrated mode (two NICs), then proceed as you
have suggested, keeping in mind how the PIX NAT rules/access lists and
the ISA NAT/publishing rules will interact.

if installing ISA in cache mode (single NIC), then also install it in
the DMZ. You then need only to consider the PIX's NAT rules and
access-list entries.

I would also strongly urge you to investigate the use of products such
as Apache (with mod_ssl, mod_security, etc.) in place of ISA. This
solution can offer much of the same functionality (with regards to
protecting web servers) without any licensing costs. There is a
learning curve, but (IMHO, as one who has been along that curve) it is
worth it.


Scott Lowe

Relevant Pages

  • Re: Netzschema
    ... Wir verfolgen seit ISA 2000 den Ansatz ohne DMZ und haben jeweils auf der Internet- als auch auf der LAN-Seite Snort Sensoren. ... Stell doch deinen OWA Server in die Domain und publishe SMTP und OWA durch den ISA Server. ...
  • Re: Routing in DMZ mit ISA Server 2004
    ... Veröffentlichung würde ich via Telnet Port 25 prüfen, ... Exchange Server ... "DMZ" Netz: ... Isa Server: ...
  • Re: Where do I put Exchange Server?
    ... I'm not sure of OWA can be front-ended by a lone IIS server; again, the DMZ ... isn't the right place for it with ISA 2000. ... > its internal network only. ...
  • Re: Where do I put Exchange Server?
    ... ISA 2004 is certainly a lot more flexible on capabilities of individual ... Do you think w/ ISA 2004, DMZ is the right place for Exchange? ... > DMZ in ISA Server 2004? ... >> its internal network only. ...
  • Re: Exchange 2003 SP2- question about registry modifications
    ... When we put this in in 04 - this was the recommended config based upon the ... no ISA req, ruled out everything else. ... only the DMZ config was acceptable to the security group. ... of the other MVP's I know would recommend a FE in the DMZ either if ISA ...