I currently have my front-end OWA/IMAP servers and my SMTP servers in our DMZ behind a Cisco PIX firewall. It has been recommended that I set up ISA servers to sit in the DMZ and place the front-end servers behind the inside firewall. This is supposed to cut down the number of ports that we will be required to open on the inside firewall for these servers to speak with DNS, Active Directory as well as the back-end servers. The Cisco administrator has told me that ISA seems to be simply a software firewall/VPN server/web caching, and as such we would be better served either using NAT, or adding a third PIX into the DMZ. Are there any specific application level benefits of using ISA to secure Exchange communication in addition to using a hardware firewall, or is ISA supposed to be used as a standalone firewall?
You can use Microsoft ISA Server as a standalone firewall, and you can also use it to publish Exchange resources (e.g., OWA, SMTP, IMAP4, POP3, RPC over HTTP). But because an Exchange front-end server needs to communicate with Active Directory before it can proxy a client request to a back-end server, most folks prefer to not put the front-end server in a DMZ. Instead, most folks will open a port on their firewall and direct it to one or more front-end servers inside the network. This would mean you only have to open a single port per protocol (e.g., 443 for HTTPS, 993 for IMAPS and 25 for SMTP).
This was first published in June 2004