Comment MS ISA is the fortified bridge, not a wall (Score 1) 261
ISA is a nice and SECURE tool, if it is used correctly. It is very good for publishing services (HTTP, Exchange-RPC).
You should do a back-to-back two-layer firewall setup, with the outer ISA not being member of your inner domain. The publishable services should be in the DMZ between the two firewalls - webserver, Exchange FRONTEND. You can use the URLScan plugin for ISA FP1 to make sure no illegal HTTP options get through to the webserver.
The internal firewall could also be a non-ISA, preferably HW firewall, but then you loose some strong outgouing proxy authentication integration with AD.
Do not use ISA as a three-homed firewall, you loose all secure application and stateful packet inspection to that kind of DMZ.
You should do a back-to-back two-layer firewall setup, with the outer ISA not being member of your inner domain. The publishable services should be in the DMZ between the two firewalls - webserver, Exchange FRONTEND. You can use the URLScan plugin for ISA FP1 to make sure no illegal HTTP options get through to the webserver.
The internal firewall could also be a non-ISA, preferably HW firewall, but then you loose some strong outgouing proxy authentication integration with AD.
Do not use ISA as a three-homed firewall, you loose all secure application and stateful packet inspection to that kind of DMZ.
