Re: Exchange with ISA

From: Miha Pihler (
Date: 10/30/04

  • Next message: Miha Pihler: "Re: Exchange OWA with ISA"
    Date: Sat, 30 Oct 2004 23:14:46 +0200


    If you use Front-End server the user never touches the back-end server.
    Front end server will be used as proxy between the user and back-end server.
    This way you can make sure that there is no external access from the
    internet to the server that hold mailboxes and other user's information.

    On ISA you can perform authentication before user even gets to Front-End
    (for this ISA will have to be member of domain). When client sends his
    username and password ISA check if the credentials are OK (user account is
    valid, password is correct, ...). If everything is OK user is granted access
    to OWA (Exchange front-end)...

    For security reasons, you should use SSL certificate to protect passwords
    that are passed by clients on the internet to OWA. You can configure SSL
    Bridge on ISA (SSL certificate is installed on ISA). After ISA gets the
    request it can decrypt it and check the content (e.g. what is inside the
    HTTP packet -- and you can limit access to only few directories on OWA --
    e.g.* and other used for OWA. If client
    request any other directory on that website you can redirect them to any
    other site (e.g. your company policy site).
    Now you can decide how you will pass the traffic from the ISA to OWA. You
    can again use certificate or use IPSec or just pass it in clear text...

    I hope this helps,


    "bengt" <> wrote in message
    > Microsoft recommends a scenario where you put ISA server in a DMZ and
    > publish
    > OWA from an Exchange Front-end server on the inside. Looking at it
    > strictly
    > from a security point of view, is there any diffence in publishing the
    > Back-end server instead and skip the Front-end server? I meen if you
    > manage
    > to hack the Front-end server you´re already inside?

  • Next message: Miha Pihler: "Re: Exchange OWA with ISA"