In this configuration, all of the Exchange servers are within the corporate network and the ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic. This adds an additional layer of security to your network.
All incoming Internet traffic bound to your Exchange servers – for example, Microsoft Office OWA and remote procedure call (RPC) over HTTP communication from Microsoft Office Outlook 2003 clients – is processed by the ISA server. When the ISA server receives a request from an Exchange server, the ISA server terminates the connection and then proxies the request to the appropriate Exchange servers that are on your internal network. The Exchange servers on your network then return the requested data to the ISA server, which sends the information to the client through the Internet.
During installation of the ISA server, Microsoft recommends that you enable Secure Sockets Layer (SSL) encryption, and designate 443 as the SSL port. This leaves the 443 port open as the “Web Listener” to receive Internet traffic. Microsoft also recommends that you set up basic authentication for Exchange ActiveSync, and that you require all clients to successfully negotiate an SSL link before connecting to the Exchange ActiveSync site directories. If you follow these recommendations, the Internet traffic that flows into and out of the 443 port will be more protected.
When configured in Web-publishing mode, ISA Server 2006 will provide protocol filtering and hygiene, denial of service (DoS) and distributed denial of service (DDoS) protection, and pre-authentication.
The following illustration shows the recommended Exchange Server 2003 deployment for mobile messaging with ISA Server 2006.
| 