Re: Exchange with ISA
From: Miha Pihler (mihap-news_at_atlantis.si)
Date: Sat, 30 Oct 2004 23:14:46 +0200
If you use Front-End server the user never touches the back-end server.
Front end server will be used as proxy between the user and back-end server.
This way you can make sure that there is no external access from the
internet to the server that hold mailboxes and other user's information.
On ISA you can perform authentication before user even gets to Front-End
(for this ISA will have to be member of domain). When client sends his
username and password ISA check if the credentials are OK (user account is
valid, password is correct, ...). If everything is OK user is granted access
to OWA (Exchange front-end)...
For security reasons, you should use SSL certificate to protect passwords
that are passed by clients on the internet to OWA. You can configure SSL
Bridge on ISA (SSL certificate is installed on ISA). After ISA gets the
request it can decrypt it and check the content (e.g. what is inside the
HTTP packet -- and you can limit access to only few directories on OWA --
e.g. http://owa.server.com/exchange* and other used for OWA. If client
request any other directory on that website you can redirect them to any
other site (e.g. your company policy site).
Now you can decide how you will pass the traffic from the ISA to OWA. You
can again use certificate or use IPSec or just pass it in clear text...
I hope this helps,
"bengt" <email@example.com> wrote in message
> Microsoft recommends a scenario where you put ISA server in a DMZ and
> OWA from an Exchange Front-end server on the inside. Looking at it
> from a security point of view, is there any diffence in publishing the
> Back-end server instead and skip the Front-end server? I meen if you
> to hack the Front-end server you´re already inside?