S.Y. Paul Lai
Guest
|
 Posted:
Sat Sep 25, 2004 5:57 am Post subject:
Re: Windows 2003 design |
|
|
1) If you have an ISA, you can configure ISA to work like a front-end.
2) that's the standard FE-BE configuration.
What's the reason you need FE-BE setup?
To off load SSL?
To enable multiple FEs NLB?
To get a single name for connection to multiple BEs?
To avoid DoS attack?
If you need only one machine work as a FE, you can use the ISA.
--
S.Y.P. Lai
MCP+SB, MCDST
"James" <anonymous@discussions.microsoft.com>
news:1cf201c4a296$4d8d8190$a301280a@phx.gbl
| Quote: | What design would be more appropiate and why?
1) ISA in DMZ, Front-end server (OWA SMTP) (internal
network), Back-end Server (internal network)
2) OWA- DMZ, Back- end server (internal network)
Thank you, |
|
|
Al Mulnick
Guest
|
| Posted:
Sat Sep 25, 2004 7:17 pm Post subject:
Re: Windows 2003 design |
|
|
It's fair to add to that.
ISA is a firewall device. More precisely, a 7th layer firewall device (OSI
7 layer model) made by the application vendor. Potentially this offers you
the ability to scan packets for intent vs. destination. Since it comes from
the vendor, it comes with pre-defined rule sets geared towards it's own
product. Comes with some nice features such as checking the packets (it
knows what a typical conversation should look like), ssl bridging, plug-in
modules to add features such as two-factor authentication, anti-virus, etc.
If you deploy OWA in the DMZ, then when it's over, you'll basically have
extended your internal network to the DMZ due to the amount of traffic you
end up allowing to and from that DMZ OWA server. Easier with ISA since then
it's only one traffic type to allow - HTTP or HTTPS. Also, the ISA server
doesn't have to be a domain member :)
I think it comes down to why you have a DMZ in the first place and what your
security policy/risk tolerance is. If you terminate your internet
conversation on a server inside your network, you're saying you have a high
risk tolerance and that you don't have any problem with patching on a
regular basis etc. Because that's what you need to do (my mind) to have a
communications path come inbound unchecked all the way to the application
(any application).
There are plenty of other benefits of ISA, but that's some of them in this
scenario.
Al
"S.Y. Paul Lai" <syplai@hotmail.com> wrote in message
news:%23nScdppoEHA.3396@tk2msftngp13.phx.gbl...
| Quote: | 1) If you have an ISA, you can configure ISA to work like a front-end.
2) that's the standard FE-BE configuration.
What's the reason you need FE-BE setup?
To off load SSL?
To enable multiple FEs NLB?
To get a single name for connection to multiple BEs?
To avoid DoS attack?
If you need only one machine work as a FE, you can use the ISA.
--
S.Y.P. Lai
MCP+SB, MCDST
"James" <anonymous@discussions.microsoft.com
news:1cf201c4a296$4d8d8190$a301280a@phx.gbl
What design would be more appropiate and why?
1) ISA in DMZ, Front-end server (OWA SMTP) (internal
network), Back-end Server (internal network)
2) OWA- DMZ, Back- end server (internal network)
Thank you, |
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in