NAT to ISA on DMZ

Hi all, this couple of weeks we have been designing the migration to
Exchange server from a highly customized qmail installation (not my
decision...). Im in charge that whatever setup we install complies
with our current firewall setup. This is an IPCop firewall whit RED-
ORANGE-BLUE-GREEN zones. Exchange 2003 failed miserably when trying to
set a front end on the DMZ whit out making the firewall swiss cheese.
Exchange 2007 seems a little better but it needs an ISA server for the
front end. We have part of the setup done with ISA inside the DMZ and
another subnet inside the DMZ for the "untrusted" interface of the
ISA. As for Port forwarding email traffic coming from the internet
will get directed to the router in the DMZ, then to the ISA , then
back to the firewall and finally to the exchange backend (what a hack,
thanks MS). The problem is that the exchange backend REQUIRES that its
gateway is the ISA. This is where iptables come into play. I cant
specify the ISA server as gateway but I can forward email traffic from
the firewall to the ISA on the DMZ and it will send it back to the
client on the internet.


REQUEST:

NEEDED
internet
| |
| v --
-->
--------- DMZ
192.168.99 10.0.0 192.168.99
| FW |-----------------------------------
[DSL router]------------------ [ISA]------------------ |
--------- <--
|
| v
| | ^
-----------------------------------------------------------------------
---- |
| v
| <--
|
LAN
|
[Exchange]



RESPONSE

NEEDED:

internet
| ^
| |
<-- <--
--------- DMZ
192.168.99 10.0.0 192.168.99
| FW |-----------------------------------
[DSL router]------------------ [ISA]------------------ ^
--------- -->
|
| |
| ^ |
-----------------------------------------------------------------------
---- |
| |
V -->
|
LAN
|
[Exchange]


INSTEAD OF:

internet
|
^ |
| --------- DMZ
192.168.99 10.0.0 192.168.99
| | FW |-----------------------------------
[DSL router]------------------ [ISA]------------------
---------
|
|
|
-----------------------------------------------------------------------
---- |
^
|
| |
| LAN
|
[Exchange]


I'm following some examples for forwarding traffic between proxies but
haven't make progress
Can anyone help me create the needed rules for this.

I may have an issue on the DMZ as both the DSL Router and ISA have the
same gateway but haven't got the chance to test it.

Is this even posible?

Thanks

.

Relevant Pages

  • Re: Moving Exchange Server
    ... >so what you are stating is not safe at all, ... >(Internet) you have to deal with, you must look at all sides, this is why ... >DMZ, thus 0% risk/ports open between them. ... Safe mail is then sent to the Exchange servers which also have anti ...
    (microsoft.public.exchange.setup)
  • [fw-wiz] Exchange 2003 OWA compromise reached
    ... Thanks to all for your answers to my questions regarding Exchange 2003 OWA. ... Since we also want to move our ftp server onto a separate DMZ away from our ... we will attach the Microsoft ISA server outside interface to the ...
    (Firewall-Wizards)
  • Re: Netzschema
    ... ich die DMZ weglasse. ... da OWA auch Exchange bedeutet und der braucht AD. ... Routinggruppe und dann verschluesselter SMTP Replikation, ... Weil der ISA macht ja bei der Installtion alle NICs dicht. ...
    (microsoft.public.de.german.isaserver)
  • Re: Netzschema
    ... wenn Du ein reines Mail Relay betreiben wuerdest, dann koennte man das mit der DMZ machen, zumal der Mailrelay dann auch noch Thirdparty Filter gegen SPAM haben koennte. ... Da Du aber OWA auch haben willst, wird das ganze etwas aufwaendiger, da OWA auch Exchange bedeutet und der braucht AD. ... Weil der ISA macht ja bei der Installtion alle NICs dicht. ...
    (microsoft.public.de.german.isaserver)
  • Re: Exchange 2000 FE / BE Config Questions
    ... >Exchange 2000 BE in Internal Network ... It should not be in the DMZ. ... not the domain) and point every protocol at the ISA. ... can then publish those services for the users on the Internet. ...
    (microsoft.public.exchange2000.general)