Hey all! We are currentlyrunning Windows 2003 domain, Exchange 2003 SP2cluster (which is notanapart of RPC over HTTPStopology right now)and we want to get started with publishing OWA and OMAusing ISA 2006onthe Internet.AstheInternet gateway we are using CP firewall, and wehave a directline to the ISP which providesus the Internet, In addtion,ouroutgoingmail content filter is locatedin the ISP. I have drawn a sketech whichdecribes what we areplan to do: Now to the questions: 1. What do you generally think about the sketch? Any additions you might add to make it more secure? 2.The ISA is placed in a DMZ and the CP will forward SSL requests (and also filter them, just in case...) to the ISA which forwards back the data to the FE server. The ISA in this case isonly being used for the purpose of Exchange web services. Does this configuration limits us when we will decide to use other ISA features? 3. In our internalnetwork,what do you think about putting the FE in a VLANseperated from the BE cluster and theinternal network? If yes, in the case of a VLAN who do you think should act as the gateway? TheCP or mybe the switch which can run an ACL? What do you think of implementing an IPSEC between the FE and the BE? Do you prefer it over VLAN? (we don't want to significantly increase the firewall CPU usage) 4. If we want to publish the OWA services and make it available to use only by certian domain users, is there an option to do that on the ISA, or we need to do thiswith the AD proprties? 5.Since we want the whole procedure of publishing to be seemless we don't want to slow down the current BE users, so in case we want to use IPSEC between the BE cluster and the FE, do you recommend a seperatedNIC for this (on the BE)? What does IPSEC generally requires fromthe BEserver? 6. About securing the ISA. I will use the guide provided by Microsoft. Including some tweeks I will add in order to assure strict security. I haven't found anything about AV on the ISA itself (to prevent mailicius code from running on the machine). It has some risk because we need to openupdate requests.Do you run an AV on your ISA server? I hope youhelp me get through this,I know there arequite loadof questions but any help will be appreciated! Best regards, Zeffy.