Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How insecure is an Exchange 2003 Front-end server?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Outlook Web Access >> How insecure is an Exchange 2003 Front-end server? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
How insecure is an Exchange 2003 Front-end server? - 14.Jan.2005 10:15:00 AM   
Zulan

 

Posts: 13
Joined: 13.Mar.2003
From: Sweden
Status: offline 		Hello!

I am planning to use a Front-End exchange server to publish Outlook Web Access (OWA) to my users over the internet. I have a checkpoint fw-1 firewall and I am planning to put the Front-end server on my DMZ. The front-end Exchange server is a 2003, and the back-end is a 2000. If possible I would like to avoid the extra configuration and cost involving an ISA server but I am still quite concerned about security.

I have done some testing and I had to open up these ports from my DMZ to my internal network.

From front-end exchange server to back-end exchange server:

(My back-end exchange server also acts as backup AD and DNS server)
691
389, tcp and udp for LDAP
3268
88 tcp and udp for Kerberos
135 RPC
443 https
1600
80 http
139 Netbios

From Front-end exchange server to primary internal DNS server and AD server.
3268
53 tcp and udp for domain verification

I find them to be quite a few and to be honest I feel a little unsecure about opening up so many ports. Is there a better way to do this? What are the risks, are they minor? Am I being paranoid? How did you solve it?

Thanks for your input
Post #: 1
RE: How insecure is an Exchange 2003 Front-end server? - 17.Jan.2005 8:19:00 PM   
mark@mvps.org

 

Posts: 3790
Joined: 9.Jun.2004
From: Philadelphia PA
Status: offline 		You simply don't put the FE in a DMZ for the very reasons you have discovered.
If you want to provide OWA and RPC over HTTPS access from the Internet into your network and can only afford two boxes then put an ISA in a DMZ (in a workgroup and not attached to the domain) The publish the OWA on the mailbox server.
You don't actually need an FE, especially if the number of users involved aren't huge.

(in reply to Zulan)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Outlook Web Access >> How insecure is an Exchange 2003 Front-end server? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts