Oh. I see. OK.
Microsoft disagrees with Tom:
Quote:
Placing front-end servers inside the perimeter network is one approach to deploying front-end and back-end topology within a perimeter network. However, the recommended approach is depicted in the first scenario, Advanced Firewall in a Perimeter Network. This approach involves placing the front-end and back-end servers inside the intranet and placing an advanced firewall (such as ISA Server) in the perimeter network. The advanced firewall can provide application protocol filtering and perform additional authentication on requests before it proxies them to the internal network.
Links to:
Which gives you text and pictures.
msexchange.org which is a sister site of isaserver.org also disagrees with Tom:
So, let's recap.
Every single Exchange MVP will disagree with you (but who the hell listens to them)
Microsoft disagrees with you
msexchange.org disagrees with you
Tom agrees with you.
The summary is that, as with just about everything you encounter in IT there are seldom any absolutley wrong things to do. By all means put the FE off to one side of the ISA rather than on the LAN because it won't toast your network, neither will the sky fall in.
Be aware though that if you want to go and ask Microsoft, paying your $5,000 for consulting services, you won't get an answer. You will get options and suggestions. I know for a fact that the answer will differ depending on whether you get a security guy, an Exchange guy, a network guy or an AD guy.
Furthermore aware that whatever anyone else says, Steve Riley and Jesper Johansen told you to put it in a DMZ in Exchange 2000 and not to put it in a DMZ in Exchange 2003.
It's a little like the empty Forest Root domain back in Acrive Directory 2000 days. Then it was the right way to go. Ask Microsoft internal guys and they'll tell you "If we knew now what we knew then...." stories and the empty Forest Root would not have passed their lips back in 2000.
Hindsight, 20/20 vision. Feel free to comment back but I think you've had all the reasoning and suggestions. It doesn't matter to us here whether you follow ours & Microsoft's advice or if you go with Tom's. It's entirely your business and at the end of the day you might have other reasons or want to do something else on the FE that makes it the best idea in the world to put in a DMZ.
You pays your money and you takes your chances.