Exchange 2003 FE & LTM

We do something similar to what you want to do. However our config is a bit more complicated but let me see if I can boil it down to something straight forward.

 

 

First let's talk SMTP. We are in the process of migrating from Notes to Exchange, so both environments are up and running. We have a VIP the load balances internal SMTP requests to our mail exchangers. Any internal application sending mail to ourdomain.com gets sent to a VIP defined by our internal MX DNS records. It is also the same VIP used as the default mail server by mail enabled applications (email.ourdomain.com). There is a pool of servers behind the VIP to process those requests. Outbound mail, from the environment is sent through another VIP to the DMZ based mail exchanges. Both VIPs round robin the load. The outbound VIP is protected and will only pass SMTP to the external exchanges for the internal exchanges, any other request is routed back through the internal mail exchanges for security reasons. Inbound mail works the same way only we first pass it through a spam filter first which is actually another VIP and pool. From there it's passed through the internal mail exchange servers.

 

 

Now for OWA. Internally, we use a VIP for the OWA environment. For external access, we do use ISA on the DMZ and then route to the same OWA VIP used internally. We use ISA for security reasons.

 

 

Hope that helps.

 

Thanks for the reply.. your post was helpful. Your inbound mailflow seems similar to what we are looking to achieve. The SMTP gateways hand off the mail to the SMTP VIP, which in turn pushes it to the internal Exchange Front Ends.

 

 

As for OWA.. I am still torn about using ISA. I would like to avoid it if possible.. I am not quite sure what benefit we would gain from this.. its basically just another reverse proxy which the LTM's would already be doing?

ISA really came down to Information Security Policies. Essentially, we do not let any communication stream enter our network through the DMZ unless it has already been authenticated. We use ISA for OWA, ActiveSync and Share Point access. The authentication occurs at the ISA level and then the credentials are passed down. So in the case of OWA, once you authenticate to ISA, it takes you directly into your mail box so long as integrated authentication is turned on. We actually front end ISA with a DMZ LTM. Firepass was actually considered for this function but ISA was (sorry F5) cheaper and met our Information Security groups requirements.

 

 

So the bottom line is that is a security decision, how strong do you need/want it to be. I did see another thread on the forum debating ISA and F5, so perhaps you could find some feedback there. http://devcentral.f5.com/Default.aspx?tabid=53&forumid=25&tpage=1&view=topic&postid=2921629216

 

OK, gotcha. So, the ISA servers (which are on a separate LTM) are actually accepting connections from the Internet, pre-authenticating OWA, and then publishing OWA via the VIP attached to another set of LTM's wish is load balancing the Exchange front ends?

InternetClient -> DMZ LTM (if port 80 redirect to 443) 443 -> ISA -> Internal LTM -> OWA pool over 443

 

 

InternalClient -> Internal LTM (if port 80 redirect to 443) -> OWA Pool over 443

 

 

Make sense? On the Internet flow, I left out the handshake between ISA and AD LDAP authentication which uses a internal VIP to our global catalog. By the way, one reason we front ended ISA with the LTMis due to our data center config. What you do not see is the GTM that can give the address of either data center based on the availability of the ISA servers. So the LTM's monitor the availablility of the ISA servers.

Yes, makes total sense. Thanks for the explanation. We just need to decide if ISA is worth the effort/trouble for pre-authentication.

Did you have to turn Auto-Last-Hop on the LTM off to support the ISA servers?

 

Nope, or at least we did not. Each LTM only fronts 1 ISA box, we are not doing load balancing.