Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

What is the difference?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Secure Messaging >> What is the difference? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
What is the difference? - 27.Jul.2007 1:51:28 PM   
kmfrench

 

Posts: 15
Joined: 30.Apr.2003
From: Chicago, IL
Status: offline 		I am trying to figure out the real security difference in a setup where a front-end server is on the DMZ and a back-end server is on the LAN verses a single server being on the DMZ.  It seems like I would have to open all the same ports from the DMZ to the LAN in either setup.  If this is the case then I am assuming the benefit of having the back-end server on the LAN is that the data is safer being stored there than on the DMZ and the fact that you aren't creating unnecessary traffic to and from the DMZ when mailboxes are syncing.

Or is there a better way to secure the exchange server?  We plan to enable OWA for after-hours use of the exchange server.  Also I am trying to avoid a proxy server.

Thank you in advance for any assistance.
Post #: 1
RE: What is the difference? - 27.Jul.2007 4:19:53 PM   
John Weber

 

Posts: 588
Joined: 20.Apr.2005
From: Portland, Oregon
Status: offline 		I have clients that wrestle with this very question.
Basically, youi are faced with two scenarios if you don't want an ISA server:
1.  DMZ the CAS
2.  Leave everything behind the FW.

In #1, you will have to control the flow with the FW.  Access to the CAS will be 25 and 443.  From the DMZ to the AD, you will need to have serious restrictions, but still allow for AD traffic.
In #2, you simply bring only 25 and 443 from outside address to inside address. Do not allow the inside target to be a DC/GC - to many issues, in my mind, with putting a DC on the internet - even if it is only port 25 and 443.
And then harden the servers according to best practice, and monitor/watch it like a hawk.

I prefer #2.  Simpler and cleaner.

-jmw

(in reply to kmfrench)
Post #: 2
RE: What is the difference? - 28.Jul.2007 4:19:00 AM   
Henrik Walther

 

Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline 		And perhaps I should add that MS recommendations are to put the CAS on the internal network


_____________________________

HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S

Order my Exchange Server 2007 Book!

(in reply to John Weber)
Post #: 3
RE: What is the difference? - 31.Jul.2007 1:21:46 PM   
kmfrench

 

Posts: 15
Joined: 30.Apr.2003
From: Chicago, IL
Status: offline 		Thank you both for the advice.  This is certainly going to be an interesting project depending on how we decide to implement it.

Henrik, am I understanding you correctly that Microsoft recommends option #2 by putting the server on the LAN and only opening ports 25 and 443 to it?

Thanks again for your assistance.

(in reply to Henrik Walther)
Post #: 4
RE: What is the difference? - 31.Jul.2007 1:53:23 PM   
Henrik Walther

 

Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline 		Yes thats correct. Only the Edge Transport server role should be deployed in the DMZ.


_____________________________

HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S

Order my Exchange Server 2007 Book!

(in reply to kmfrench)
Post #: 5
RE: What is the difference? - 29.Oct.2007 1:51:49 PM   
joggie721

 

Posts: 20
Joined: 28.Oct.2007
Status: offline 		In general the only benifit to having a server in the DMZ is to allow it to do the "dirty work" outside of your company such as virus scaning and spam blocking.  this will take the load off your exchange server/ internal servers (often times are hosting different apps)  option # is the way to go but for the over kill you could put your email scaning in the dmz.

(in reply to Henrik Walther)
Post #: 6
RE: What is the difference? - 22.Nov.2007 9:37:20 AM   
Jesper Bernle

 

Posts: 221
Joined: 15.Oct.2007
From: Sweden
Status: offline
quote:

ORIGINAL: Henrik Walther

MCA: Messaging Apprentice



Cool. You have my full admiration, maan

_____________________________

Jesper Bernle
Enterprise Messaging Administrator

(in reply to Henrik Walther)
Post #: 7
RE: What is the difference? - 24.Nov.2007 5:26:52 AM   
Henrik Walther

 

Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline 		Thanks Jesper

It was indeed a tough journey...


_____________________________

HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S

Order my Exchange Server 2007 Book!

(in reply to Jesper Bernle)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Secure Messaging >> What is the difference? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts