Notes from the field - Part V: Publishing Exchange on the Internet
What's the most secure and recommended way of publishing Exchange on the Internet? ISA Server on the DMZ and both the front-end and the back-end on the internal network. There's no doubt about that!
So, in the project I've been describing in the last posts I had to publish Exchange 2003 Outlook Web Access. This is what I installed:
- ISA Server 2006 Standard Edition installed in the DMZ, out of the domain, just in a workgroup configuration.
- Exchange Server 2003 Standard Edition as a front-end.
- Exchange Server 2003 Enterprise Edition, 2 node cluster as a back-end.
- External Firewall open TCP ports: 80, 443.
- Internal Firewall open TCP ports: 443.
Microsoft has a technical article with the step-by-step configuration, Publishing Exchange Server 2003 with ISA Server 2006. I followed every step described in this document, but I had to make a change in one of the steps. ISA Server 2006 in a workgroup configuration won't do the pre-authentication, so you have 2 alternatives:
- Use RADIUS authentication;
- Modify the publishing rule.
I decided for the latest, so, although I used Forms Based Authentication, the rule was configured for All Users and not for Authenticated Users. sure you loose some security, but from an Administration point of view is much simpler than implementing RADIUS or IAS.
A final word, with ISA Server 2006 you get the Forms Based Authentication screen from Exchange 2007, even if you use Exchange 2003.