How to Set Up a Front-End and Back-End Topology with an Advanced Firewall in a Perimeter Network


Topic Last Modified: 2006-08-16

You can create a front-end and back-end topology with an advanced firewall. The following figure illustrates the front-end and back-end scenario with an advanced firewall. In this scenario, you place the advanced firewall server inside the perimeter network and between the Internet firewall and the internal firewall. You place front-end and back-end servers in the same network behind the internal firewall.

Exchange front-end server behind an advanced firewall

ISA Server on Perimeter Network

Before you perform the procedure in this topic, it is important that you first read the following:

  1. If there is a firewall or port filter in front of the advanced firewall, configure it to allow the client protocols and ports inbound: 443 (SSL HTTP), 993 (SSL POP3), 995 (SSL IMAP4), and any other ports required inbound (for example, SMTP traffic might also go through this firewall). This firewall should limit access to only the designated advanced firewall server.

  2. (Optional) If you are using an intranet firewall between the advanced firewall and the intranet, configure the intranet firewall to have certain ports open to support the required network traffic from the advanced firewall server (for example, a Microsoft® Internet Security and Acceleration (ISA) Server) to the intranet. This would be any client protocols proxied by the advanced firewall: ports 443 or 80 (depending on whether the advanced firewall was offloading SSL encryption), 993, and 995. Additionally, the intranet firewall must allow access for any other protocols that are required by the advanced firewall server, depending on its other tasks and configuration. This could include authentication, Domain Name System (DNS), and Active Directory access. The exact list depends on the balance of security and features that each corporation implements.

  3. Configure the advanced firewall. The following are general guidelines to follow when deploying an ISA Server in a front-end and back-end topology. (For detailed information about how to configure ISA Server, see the ISA Server product documentation.)

    1. Configure a listener for SSL.

    2. Create a destination set that contains the external IP address of the ISA Server. This destination set will be used in the Web publishing rule.

    3. Create a Web publishing rule that redirects requests to the internal front-end server.

    4. Create protocol rules to open ports in ISA Server for outgoing traffic.

  4. Configure the ISA server for Microsoft Office Outlook® Web Access. (For information about how to configure an ISA server for Outlook Web Access, see Microsoft Knowledge Base article 307347, "Secure OWA Publishing Behind ISA Server May Require Custom HTTP Header.")