Definitely? Under #1 it seems like something as simple as a directory
traversal attack against IIS/OWA that manages to get through ISA leaves
your entire internal network exposed. Under #2 it appears to me that an
attacker would need at the very least a second exploit to gain further
access to the trusted network.

Paul Melson wrote:
> #1, definitely. The whole reason to use ISA proxy with a front-end/back-end
> OWA setup is to reduce the amount of holes that must be punched in the
> firewall. Since the OWA server must be a member of the domain, it requires
> an exhaustive list of ports be open between itself and the Exchange server
> as well as at least one domain controller. With the ISA proxy, it's 443 in,
> 443 out (or 80 out if you don't want/need to encrypt the traffic between the
> ISA and OWA servers).
>
> PaulM
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Jason Gomes
> Sent: Sunday, May 01, 2005 2:14 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] PIX -> ISA -> OWA Configuration
>
> What is the preferred placement for a OWA front-end server given these two
> possible network configurations and why?
>
> 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall] <==>
> [OWA] <==> [Internal Net w/Exchange Svr]
>
> 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==> [PIX
> Firewall] <==> [Internal Net w/Exchange Svr]
>
> Notes:
> The ISA server is performing a reverse proxy for HTTPS connections.
> In #1, the backend firewall will only allow port 443 through to OWA.
> In #2, all ports required for OWA to communicate with the internal exchange
> server is allowed.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/li...rewall-wizards
>
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards