Back at Exchange Connections, I started hearing rumblings that there was going to be a new recommended configuration for the Exchange 2007 Edge Transport role: place it on the same server as ISA 2006. At first this seems counter-intuitive; I'm used to thinking of ISA as a firewall, and as a general rule you don't want to put additional software on your firewall. However, it starts to make sense when you think about it a bit longer:
- ISA is a fantastic product line that securely hardens the network stack on whatever server it's installed on, especially when the base OS is hardened first.
- ISA is an application proxy as well as a firewall and is the recommended tool to use for publishing HTTP access to Exchange (OWA, Outlook Anywhere/RPC over HTTPS, Exchange ActiveSync).
- The SMTP screener in ISA is an optional component. I personally like it for use with non-Exchange messaging systems, but I'd rather have the full power (and Exchange integration) of Edge being the first server that handles incoming messages. Best of all, I wouldn't have to change firewall porosity to implement this; I'd still be opening SMTP into my Exchange Hub Transport server(s), and the Edge Subscription is pushed from the Hub Transport to the Edge Server -- no incoming port openings required.
Here's the problem: you can't do it. The ISA 2006 server can't be installed on x64 versions of Windows (although the firewall client can), and Exchange 2007 must be used on Windows x64 for production. However, this post on the Exchange team blog originally said the ISA 2006/ configuration. If you scroll down to the comments, you'll see that a couple of readers ask for clarification (one of those names might look somewhat familiar). This morning, I noticed that we've been answered:
I was under the impression that a version of ISA 2006 that would install on x64 was in the works (perhaps I was confused by the x64 firewall client), but that appears to not be the case. So it would seem Exchange & ISA cannot be on the same OS in production.
My thanks to the Exchange team in general, and Scott Landry in particular, for being so quick to answer questions and willing to clarify statements like this. They are an insanely responsive and communicative group of people, and they're the first reason that Exchange 2007 is such a radical departure from the Exchange of yesteryear.
If anyone from the ISA team is reading this: please, please, please get an x64 version of ISA 2006 on the roadmap sooner rather than later. And when you do, specifically take steps to make ISA + Edge a tested configuration. This allows us Exchange folks to more effectively lobby for the use of ISA in our perimeter networks, pointing to the advantages of using Edge *and* ISA to provide the best level of protection for all external access to our Exchange organization.