Hi All,I just want to know, if I'm about to use the OWA feature, therefore I would need ISA Server to secure the access to the Exchange server mailbox and public folder.the question is, should I deploy the ISA Server 2006 standard in the same dual homed machine as the EDGE transport server in the DMZ ? so far I don't know if there is any 64-bit ISA server yet, as the Exchange server EDGE transport requires 64 bit processor.any kind of input and suggestion will be appreciated.Thanks

You should deploy seperate ISA and Edge servers.

Hi Erik,thanks for your quick response, I'm just wondering of where to put the ISA server if not together with the EDGE transport server.so, according to your response, the topology will be like :http://img180.imageshack.us/my.php?image=owawm2.jpg Red arrow indicates the Normal email traffic,Green arrow indicates the Client Access ( OWA )Thanks in advanced.

A front/back firewall configuration (what you're displaying in your image) is one great way to do it; however it comes with a couple of disadvantages in that you need 2 firewalls and the added management complexity. Alternativly you could do a 3-Leg perimeter, so ISA would have 3 interfaces rather than 2. The Edge Transport server would sit in the DMZ (Perimeter Network). Erik

Hi Erik,thanks for your quick reply, based on your response above, I can conclude that it would be too much complexity to setup the ISA Server 2006 between the firewall inside the DMZ.proposed solution: the firewall in the middle of the picture is ISA Server 2006 while the EDGE transport server will be installed in the DMZ.http://www.wehuberconsultingllc.com/wordpress/wp-content/uploads/2006/09/WindowsLiveWriter/Changingovertoa3legnetworklayout_995C/3leg%5B2%5D.jpgmy final question is, would that (3 leg perimeter) be sufficient enough to protect the CAS Exchange Server 2007 ?Cheers,A.W.T

I'm not saying it would be too much complexity, just that for what you're doing it's not neccisary. As for your question about whether it is sufficient, ISA is designed to protect Exchange in this manner. As long as you're publishing the services correctly, yes. Cheers, Erik