Ask the Expert

When you install ISA 2000 Server and create DMZ can you use two different domain names?

When you install ISA 2000 Server and create DMZ, can you use two different domain names (e.g DMZ Mydoamin-ext.com, and for, private LAN MyDomain.com)? If yes, how do you put Exchange front end/Web server, DNS and VPN in DMZ? Do I have to install new trees in existing forests with mydomain-ext.com domain name? For this, I have to install DC in DMZ, then install DMZ/VPN/Exchange/IIS/OWA on member servers.

Can you put Exchange back end server on a different domain and front end in different domain with different domain names? How does OAW work with different domain name?

 

Requires Free Membership to View

When you create a DMZ segment, you create a separate security zone. You should place all servers that directly interface with the Internet on the DMZ segment. Machines on the DMZ segment should be configured as Bastion Hosts, and the operating systems on these machines should be hardened to the extent that they are virtually impossible to manage, and then only from the local console. Of course, this is very difficult to do, but once you accomplish the task, you can be sure that's its going to take a long time for someone to break into your box. For a good primer on how to configure a strong Bastion Host, check out "Securing Windows NT 4.0/2000 on the Internet".

With that in mind, let's think about the Exchange FE/BE configuration. As you can probably tell already, if you put a FE Exchange Server on the DMZ, you have broken your DMZ security zone, because the FE Exchange Server must be a member of the same domain as your internal network BE Exchange Server. While you can do this, it is rather difficult to allow intradomain communication across the ISA Server. You can see how to do this at www.isaserver.org/shinder. The only MS approved way of allowing intradomain communication across the ISA Server is to create a VPN connection between a DMZ host and the external interface of the ISA Server. This solution, while possible, is tricky because keeping the VPN interface active can be problematic and requires someone to 'baby sit' the connection more than you might like.

You should put both the FE and the BE Exchange Servers in the same domain and put both of them on a LAT segment on the internal network. Then you can use IPSec filtering to control inbound and outbound access to and from that segment. Another option is to use RRAS routing if both segments are directly connected to the ISA Server itself. As you can see, there are a lot of options for creating a 'screened subnet,' even though that subnet is on a LAT segment.

Finally, remember that the FE/BE configuration is not a security configuration. It's a fault tolerance and load balancing configuration. If you require fault tolerance and load balancing, then the FE/BE configuration is for you. If not, you might just want to configure a normal Exchange Server setup.

 

This was first published in March 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: