Hello to all, thank you for reply.

Remove the ISA server is an option that I'm evaluating, but I have some doubts about the security of web servers publications.

I have to publish an exchange server that is located on the local network (owa, smtp, outlook anywhere, etc.), I don't have a front end and a backend server, all is installed on the same machine. With ISA the server is protected, but what happen if I remove ISA?

ISA is also a web proxy and allow me to control the internet traffic. How I can replace this functionality? Squid?

Thank you.

Get rid of Exchange and migrate to Office 365.  It is far cheaper than owning and operating your own Exchange server.  I can count the number of our customers left who own and operate Exchange servers on one hand.  You would only need the basic plan "Exchange Online 1".

That solves one major issue for you.  If I was wearing my Cisco hat I would tell you to use WSA for your proxy server.

http://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html

However if you use an ASA with Firepower the question becomes what do you actually need a proxy server?

If you don't have Firepower or you really like the idea of using a proxy server then you could use Cisco cloud proxy service 

http://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html

The great thing about the cloud proxy service is it protects all your machines, wherever they are.  For example if a user takes a notebook home they keep using the same cloud proxy with the same policies and protection.

More than like if you migrate to both cloud services you monthly costs will be less, you will have up to date technology and your company will be in a far more agile position to adapt to changes.

Hi. The 5510 will give you good firewall policy enforcement, but not any of the advanced URL filtering and Internet security policy management. For this you will require another solution, unless you upgrade to Firepower services, which means you need different hardware.

I would say you have it spot on with your planned architecture

internet---asa----isa----local network

You can use the 5510 for Client based SSL VPN (Anyconnect) and you can use the Clientless SSL VPN feature to help with some of the Exchange Publishing.

eg. You can use clientless SSL VPN portal and have the users log in there with their AD credentials. You can then have the ASA pass on those credentials directly to your exchange server for a similar kind of OWA experience (there are templates built in to ASDM). You can create a SMTP rule on the ASA to manage the SMTP traffic. Outlook anywhere is not a feature specifically available via ASA, however, you can use a "Smart Tunnel" to make the Exchange Server available to the user that prefers the Outlook Client Experience, essentially creating an RPC over HTTPS scenario. I haven't tested this one yet, but I plan to. I don't know how you'll manage Active Sync, if you use it. 

It's not as simple as replacing ISA with 1 device, even if it is Firepower Services. There are a few features that ISA supports that ASA with firepower does not, like web proxy, AD auth per session and web cache to name a few.

HTH

Andre

Hi, I think the same thing.

I cannot use Clientless SSL Vpn because the users access the exchange server  with their smartphone remotely. 

What do you think about this scenario?

http://www.isaserver.org/articles-tutorials/configuration-security/Terminating-VPN-Connection-Front-ISA-Firewall-Part3.html

I could use ASA for Vpn with anyconnect and for NAT, ISA for web proxy, cache and publishing.

A solution with ASA as front end firewall connected directly to local network and ISA configured with only one network adapter could provide to me a good security comparable to ISA front end firewall?

Thank you.

I would say yes. You can do that. I would do that until you can get a more permanent solution. The 5510 is a nice little machine, and code updates are still being released. It's really difficult to replace ISA with one device.

So, you suggest me to use ASA as edge firewall and keep ISA with only one network?

Yes. As you planned. ASA for VPN with anyconnect and for NAT. Remeber you'll have to do Port Forwards for the servers you are publishing with ISA. For The Exchange publishing you'll do a XXX to 443 port forward. You'll need 443 available for your anyconnect SSL VPN on the ASA.

Thank you. I will implement this configuration.

Just for recap I post the final configuration layout.

internet --- asa --- + --- local network

                     | 

                     +--- isa (web proxy, cache)

                     | 

                     +--- exchange server, web server, etc 

I would rather do this:

internet --- asa ---+--- isa (web proxy,cache) +---local network

                          | 

                          +--- exchange server, web server, etc 

In this case ISA have 3 lan, exchange server is in Dmz  and also the vpn client will be conneted to dmz. This is exactly this scenario:

http://www.isaserver.org/articles-tutorials/configuration-security/Terminating-VPN-Connection-Front-ISA-Firewall-Part3.html

Why you don't recommend the solution with only one lan on ISA? 

Hi. It's really up to you how many LAN interfaces you want behind the ISA. If you want to put your published servers behind a different interface as your inside network, then that works too. Both scenarios are good in my opinion.

Thank you Anre.