Hi all, I'm currently putting together a design/plan to implement ISA 2006 into our existing Exchange 2003/2007 environment. Details are below: Our domain uses a single namespace (I know what you're thinking...) and as such we have moved almost all of our infrastructure to a sub domain. Root domain: test.com.au Sub domain: sub.test.com.au DC's - Windows 2008 R2 - Windows 2008 Exchange 2007 (resides in sub domain) - 2x Mailbox servers (cluster) - 2x CAS/HT Exchange 2003 (resides in root domain) - 1x Mailbox server (standalone) - will be decommissioned very soon Exchange 2007 servers - exchmbx1 - exchmbx2 - exchcas1 - exchcas2 - exchcluster (cluster name) Exchange 2003 servers - exchold1 Firewall - clustered Cisco ASA 5520 firewall Other Info - Cisco ACE load balancer - load balances only HTTP/HTTPS traffic at this stage (internal) After a fair bit of research, I understand that the best method for publishing OWA, ActiveSync etc... for our environment is by implementing Microsoft ISA Firewall into our DMZ. In our case, it becomes a little confusing with the addition of our subdomain. How do I incorporate both client access servers (CA) into the equation? In particular, SSL certificates. Ideally, the only address I want accessed from the outside is https://owa.test.com.au. How is this going to work when I have a subdomain and 2x CAS that reside in it? Also, what is your opinion on using an internal certificate authority for this? This will only be used for around 50-100 users. Thanks in advanced. Andrew.

The fact you can have subject alternative names on certificates should help with the single certificate. Internal Authority is not an issue.

Bit dissapointed with the lack of response to this post. Perhaps I should have posted to a different form, perhaps ISA. For those interested, I will proceed with the following setup:- Single NIC ISA 2006 server in DMZ- Traffic will not bypass our Cisco Firewall but go back through it to the internal- Open ports 80, 443 from the Outside to the ISA server (port 80 so I can redirect to port 443)- Open ports 443 from our ISA server to our 2x CAS servers- Open ports 3268 from the ISA server to our GC servers- Purchase a 3rd party SSL certificate from Digicert (Unified Communications Certificate) with the following alternative names: owa.test.com.au exchcas1.sub.test.com.au exchcas2.sub.test.com.au exchcas1 exchcas2 autodiscover.test.com.au- Install certificate on ISA and the 2x CAS servers

If you're going to have only one ISA (or TMG) server in your DMZ and two CAS role servers in your intranet, then you would configure a server farm in the ISA server that includes the two CAS servers. You'd install the external certificate on the ISA server's listener. The ISA will load-balance the traffic to the two CAS role servers. I prefer to use public certificates only on the ISA server, so you might consider building an enterprise CA that is Active Directory-integrated for your internal certificates. It's basically free with the Windows license, you have control of it, and the root certificate is pushed out to all domain clients automatically. -- Ed Crowley MVP"There are seldom good technological solutions to behavioral problems.". "andrew_morine" wrote in message news:ea5c258d-31cc-400f-9058-fe9518c32a36...Hi all,I'm currently putting together a design/plan to implement ISA 2006 into our existing Exchange 2003/2007 environment. Details are below:Our domain uses a single namespace (I know what you're thinking...) and as such we have moved almost all of our infrastructure to a sub domain.Root domain: test.com.auSub domain: sub.test.com.auDC's- Windows 2008 R2- Windows 2008Exchange 2007 (resides in sub domain)- 2x Mailbox servers (cluster)- 2x CAS/HTExchange 2003 (resides in root domain)- 1x Mailbox server (standalone)- will be decommissioned very soonExchange 2007 servers- exchmbx1- exchmbx2- exchcas1- exchcas2- exchcluster (cluster name)Exchange 2003 servers- exchold1Firewall- clustered Cisco ASA 5520 firewallOther Info- Cisco ACE load balancer - load balances only HTTP/HTTPS traffic at this stage (internal)After a fair bit of research, I understand that the best method for publishing OWA, ActiveSync etc... for our environment is by implementing Microsoft ISA Firewall into our DMZ. In our case, it becomes a little confusing with the addition of our subdomain. How do I incorporate both client access servers (CA) into the equation? In particular, SSL certificates. Ideally, the only address I want accessed from the outside is https://owa.test.com.au. How is this going to work when I have a subdomain and 2x CAS that reside in it? Also, what is your opinion on using an internal certificate authority for this? This will only be used for around 50-100 users.Thanks in advanced.Andrew. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."