Front-end, Back-end, ISA2004

[Ralph]

I am completing a migration for a farily large organization (1300 mailboxes),
with high mail volume (100k a day) and high OWA utilization. I was planning
a NLB cluster on the front end, and a clustered ISA2004 solution for serving
up OWA. Here is my question. I have 2 appliances for SMTP relay, so can I
use ISA for only serving up OWA and HTTPS over RPC? I was reading over the
installation documentation, and it seems that MS wants ISA to do everything.
Do I have to do this? Do I want to? Also, what is the preferred config
for the 2003 Server with ISA. A machine it its own workgroup authenticating
via radius?

Thanks for the help!

Ralph

[Neil Hobson [MVP]]

We do lots of installs where ISA is just used for OWA/OMA/EAS/RPC over
HTTPS, etc. It's a good design, and I wouldn't expect SMTP to necessarily
route through ISA. We tend to implement specific content/AV software for
SMTP, not ISA.

The preferred config depends largely on what the org wants to do. If ISA is
to be used for the above, then I'd suggest looking into implementing 2 x
NICs on the ISA box - one goes to the DMZ, and one goes to the Internal
network. This way you can use ISA to authenticate users via forms-based
authentication prior to the users making any connection to the Exchange
servers.

--
Neil Hobson
Exchange MVP

For Exchange news, links, and tips, check:
http://www.msexchangeblog.com

"Ralph" <Ralph@discussions.microsoft.com> wrote in message
news:70CC60AD-6F4D-4DE9-A919-7E679B16C57B@microsoft.com...

I am completing a migration for a farily large organization (1300
mailboxes),
with high mail volume (100k a day) and high OWA utilization. I was
planning
a NLB cluster on the front end, and a clustered ISA2004 solution for
serving
up OWA. Here is my question. I have 2 appliances for SMTP relay, so
can I
use ISA for only serving up OWA and HTTPS over RPC? I was reading over
the
installation documentation, and it seems that MS wants ISA to do
everything.
Do I have to do this? Do I want to? Also, what is the preferred config
for the 2003 Server with ISA. A machine it its own workgroup
authenticating
via radius?

Thanks for the help!

Ralph

[Ralph]

Neil, thanks for the response.

A couple of questions for you:

When using ISA with 2 nic's (one in dmz and one to internal network), would
the ISA machine be part of the internal domain, or would it be in a workgroup?

I have not yet installed ISA2004, but I recently read an article saying that
the only way to get ISA to work in web proxy mode was to install ISA on a
machine that has only 1 nic installed. I'm guessing from your post that this
is not true. Are there any special installation instructions for web proxy
mode only?

Thanks very much.

-Ralph

"Neil Hobson [MVP]" wrote:

We do lots of installs where ISA is just used for OWA/OMA/EAS/RPC over
HTTPS, etc. It's a good design, and I wouldn't expect SMTP to necessarily
route through ISA. We tend to implement specific content/AV software for
SMTP, not ISA.

The preferred config depends largely on what the org wants to do. If ISA is
to be used for the above, then I'd suggest looking into implementing 2 x
NICs on the ISA box - one goes to the DMZ, and one goes to the Internal
network. This way you can use ISA to authenticate users via forms-based
authentication prior to the users making any connection to the Exchange
servers.

--
Neil Hobson
Exchange MVP

For Exchange news, links, and tips, check:
http://www.msexchangeblog.com

"Ralph" <Ralph@discussions.microsoft.com> wrote in message
news:70CC60AD-6F4D-4DE9-A919-7E679B16C57B@microsoft.com...
I am completing a migration for a farily large organization (1300
mailboxes),
with high mail volume (100k a day) and high OWA utilization. I was
planning
a NLB cluster on the front end, and a clustered ISA2004 solution for
serving
up OWA. Here is my question. I have 2 appliances for SMTP relay, so
can I
use ISA for only serving up OWA and HTTPS over RPC? I was reading over
the
installation documentation, and it seems that MS wants ISA to do
everything.
Do I have to do this? Do I want to? Also, what is the preferred config
for the 2003 Server with ISA. A machine it its own workgroup
authenticating
via radius?

Thanks for the help!

Ralph

[Neil Hobson [MVP]]

We configure ISA to be a member of the internal domain. This architecture
allows ISA to provide both web and server publishing and also to act as a
full application layer firewall. Quite often this is used to compliment the
existing firewall implementation which customers don't want to give up,
understandably. Therefore, ISA is sort of 'in series' with the existing
firewall, but only doing the OWA/OMA/EAS stuff, etc.

--
Neil Hobson
Exchange MVP

For Exchange news, links, and tips, check:
http://www.msexchangeblog.com

"Ralph" <Ralph@discussions.microsoft.com> wrote in message
news:69AFEF8D-9D5C-4B5F-A01C-E602885102FD@microsoft.com...

Neil, thanks for the response.

A couple of questions for you:

When using ISA with 2 nic's (one in dmz and one to internal network),
would
the ISA machine be part of the internal domain, or would it be in a
workgroup?

I have not yet installed ISA2004, but I recently read an article saying
that
the only way to get ISA to work in web proxy mode was to install ISA on a
machine that has only 1 nic installed. I'm guessing from your post that
this
is not true. Are there any special installation instructions for web
proxy
mode only?

Thanks very much.

-Ralph

"Neil Hobson [MVP]" wrote:

We do lots of installs where ISA is just used for OWA/OMA/EAS/RPC over
HTTPS, etc. It's a good design, and I wouldn't expect SMTP to
necessarily
route through ISA. We tend to implement specific content/AV software for
SMTP, not ISA.

The preferred config depends largely on what the org wants to do. If ISA
is
to be used for the above, then I'd suggest looking into implementing 2 x
NICs on the ISA box - one goes to the DMZ, and one goes to the Internal
network. This way you can use ISA to authenticate users via forms-based
authentication prior to the users making any connection to the Exchange
servers.

--
Neil Hobson
Exchange MVP

For Exchange news, links, and tips, check:
http://www.msexchangeblog.com

"Ralph" <Ralph@discussions.microsoft.com> wrote in message
news:70CC60AD-6F4D-4DE9-A919-7E679B16C57B@microsoft.com...
I am completing a migration for a farily large organization (1300
mailboxes),
with high mail volume (100k a day) and high OWA utilization. I was
planning
a NLB cluster on the front end, and a clustered ISA2004 solution for
serving
up OWA. Here is my question. I have 2 appliances for SMTP relay, so
can I
use ISA for only serving up OWA and HTTPS over RPC? I was reading over
the
installation documentation, and it seems that MS wants ISA to do
everything.
Do I have to do this? Do I want to? Also, what is the preferred
config
for the 2003 Server with ISA. A machine it its own workgroup
authenticating
via radius?

Thanks for the help!

Ralph