#1, definitely. The whole reason to use ISA proxy with a front-end/back-end
OWA setup is to reduce the amount of holes that must be punched in the
firewall. Since the OWA server must be a member of the domain, it requires
an exhaustive list of ports be open between itself and the Exchange server
as well as at least one domain controller. With the ISA proxy, it's 443 in,
443 out (or 80 out if you don't want/need to encrypt the traffic between the
ISA and OWA servers).

PaulM

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Jason Gomes
Sent: Sunday, May 01, 2005 2:14 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] PIX -> ISA -> OWA Configuration

What is the preferred placement for a OWA front-end server given these two
possible network configurations and why?

1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall] <==>
[OWA] <==> [Internal Net w/Exchange Svr]

2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==> [PIX
Firewall] <==> [Internal Net w/Exchange Svr]

Notes:
The ISA server is performing a reverse proxy for HTTPS connections.
In #1, the backend firewall will only allow port 443 through to OWA.
In #2, all ports required for OWA to communicate with the internal exchange
server is allowed.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards