First off, let me say that ISA2006 is a fantastic product. I recommend taking a good, hard look at it - particularly if you are a heavy Cisco shop... But, more to the question.
OWA2007 offers many more features than previous versions, such as shared folder mapping through OWA, etc. My network admin (John Wilson) is reviewing it, but we haven't deployed it in the DMZ yet. But we will. Note that the Exchange team has flipped flopped a few times on the front end server being in the DMZ or not. This latest stipulation may be because they are not fully aware of what must happen for a DMZ installation to be successful, or they may just think that full functionality (like drive mapping via OWA) requires the box to be on the internal network. Can you tell us exactly WHY they say it "can't" be in the DMZ? AFAIC, you can put *anything* in the DMZ, but you might need to get creative to do so. I may be putting my foot in my mouth in regard to OWA2007, but I don't think so, and I'm up to the challenge ;) Regardless, ISA2006 can really come through for you- I've got my OWA2003 FE server on a perimeter leg in our DMZ via ISA2006 and couldn't be happier. Though the Exchange "port requirements" state that you've got to basically allow everything through to your internal network, the fact is you don't. My "least privilege" implementation works flawlessly with only DNS, Kerberos-Sec (UDP), LDAP, LDAP-Global Catalog, and PING allowed only from the perimeter FE box to the Internal DC's, and only HTTP from the FE to the BE. Now, if I want to actually manage mailboxes and such from the System Manager on that box, or if I want to update Group Policy or such, then I just enable my Allow rule for MIFS and RPC from the FE to the DC's, but turn it off again afterwards. This keeps the access list pretty tight. Other options ISA offers that you might like is the ability to perform HTTP content inspection with an SSL bridge. You terminate SSL from the client to the ISA listener, and build it back with an SSL bridge so that ISA can inspect the traffic. Big bonus. I cover precisely this type of configuration in my "ISA Ninjitsu" training being offered at RSA next month, and at the Blackhat Federal show, so if you are interested in how to build kickass DMZ firewall configs with ISA, I suggest you send a team out to the training-- Cisco guys always learn a lot ;) (I used to be a die-hard Cisco guy myself, so I know how to talk to them :^) And AFA an alternative goes, you can use the simple router tricks of your PIX to packet forward to your OWA instance on the Exchange box, but I'd rather sandpaper a bobcat's ass in a telephone boot than do that. ISA really is the way to go... Just my buck-o-five... t Support ' or 1=1 -- and help secure SQL installations while ending Intelligence Terror! Visit http://www.apostropheOr1equals1dashdash.com to find out how. ********* RSA Training! ********* If you've got any interest in hard-core firewall/DMZ configuraitons, Then check out Thor's "Hammer of God" Training at RSA 2007! ISA Ninjitsu: Designing, Building, and Maintaining Enterprise Firewall and DMZ Topologies with Microsoft ISA Server https://cm.rsaconference.com/US07/catalog//profile.do?SESSION_ID=2434&form=s earchform&ts=1167885409370 -- Join RABI- Republican's Against Bush's Ignorance Read THAT mail, dude. -- On 1/4/07 1:40 PM, "Randy Hall" <[EMAIL PROTECTED]> spoketh to all: > We have been using OWA2000 for a few years now. The front end server sits in > a DMZ and communicates to the backend server with a very painfully developed > access list. In addition, you need two factor authentication to even get to > the login screen. > > I recently attended a Microsoft presentation of the new architecture of > Outlook 2007. The one thing that stuck out to me was that you can no longer > put the front end server in a DMZ. It has to be on the internal network. The > recommended way to publish OWA is ISA2006. > > I don't currently have ISA2006 anywhere in my network and we are a very heavy > Cisco shop. What options do I have for publishing OWA? Purchasing ISA2006 > for this one application seems a bit overkill. > > Any help or guidance would be appreciated. Google turns up lots of hits for > doing this with ISA but doesn't give any alternative. > > Randy Hall - Sr. Security Engineer - CISSPĀ > The Virginian Pilot - (757) 446-2754 > > > >
