> > -----Original Message-----
> > What is the preferred placement for a OWA front-end server given these
> > two possible network configurations and why?
> >
> > 1) [Internet] <=3D=3D> [PIX Firewall] <=3D=3D> [ISA Proxy] <=3D=3D> [PI=

X Firewall]
> > <=3D=3D> [OWA] <=3D=3D> [Internal Net w/Exchange Svr]
> >
> > 2) [Internet] <=3D=3D> [PIX Firewall] <=3D=3D> [ISA Proxy] <=3D=3D> [OW=

A] <=3D=3D>
> > [PIX Firewall] <=3D=3D> [Internal Net w/Exchange Svr]

None of the above. Use a second, different firewall to control the
Windows-protocol communication between the OWA server and your
internal trusted network, like so:

3) [Internet] <=3D=3D> [PIX Firewall] <=3D=3D> [ISA Proxy] <=3D=3D>
[OWA with Host-based IPS] <=3D=3D> [Different Firewall] <=3D=3D>
[Internal Exchange Svr with Host-based IPS]

In this scenario, any one element in the path can be vulnerable
at any moment in time and the internal resources remain protected.

Of course the next question is if you are going to this extreme,
why involve the Microsoft ISA proxy at all? Why not just replace
the " [PIX Firewall] <=3D=3D> [ISA Proxy] <=3D=3D>" part of the chain
with a more complex firewall capable of handling the combined
tasks of SSL acceleration and URL filtering?
firewall-wizards mailing list