locked
Deploying Exchange 2007, ISA 2006 in a pix firewall environment. RRS feed

  • Question

  • I'm in the process of deploying exchange 2007. This is my current setup. 

    Internet == Pix == LAN

    To have the least impact on throughput, I have some question on deploying Exchange, edge transport, and ISA. Would anyone say this is correct?

     

    Internet == ISA == Edge transport == PIX == LAN

    or

    Internet == ISA == PIX == LAN

    PIX DMZ == Edge transport

     

    Thanks in advance.

    Friday, February 3, 2012 4:40 PM

Answers

  • I think your second is closer.  Each device (ISA / Edge) provides different functionality.  I would set it up as follows:

         Internet - PIX - EDGE (in DMZ) - PIX - LAN

         Internet - PIX - ISA (dual NIC, Dual DMZ port) - PIX - LAN

    This works great and provides more security (ISA dual DMZ - no LAN interface).  However, I have also setup this:

         Internet - PIX - ISA - LAN

    Both will work.


    JAUCG
    Friday, February 3, 2012 6:37 PM

All replies

  • I think your second is closer.  Each device (ISA / Edge) provides different functionality.  I would set it up as follows:

         Internet - PIX - EDGE (in DMZ) - PIX - LAN

         Internet - PIX - ISA (dual NIC, Dual DMZ port) - PIX - LAN

    This works great and provides more security (ISA dual DMZ - no LAN interface).  However, I have also setup this:

         Internet - PIX - ISA - LAN

    Both will work.


    JAUCG
    Friday, February 3, 2012 6:37 PM
  • I would not recommend putting the ISA in between Exchange and PIX. I would rather publish the OWA behind ISA or behind the PIX. Publishing behind ISA is much better as it does reverse proxy and authentication gets done visa ISA and which is best comparing to PIX. On pix you will have to allow the 443 and fwd the traffic to the translated ip while ISA does inspect the traffic in SSL too. 

     

    check out this blog.  - tmgblog.richardhicks.com

     


    Where Technology Meets Talent
    Saturday, February 4, 2012 3:39 AM
  • Any updates?


    JAUCG

    Friday, February 24, 2012 7:32 PM