How insecure is an Exchange 2003 Front-end server?

How insecure is an Exchange 2003 Front-end server? (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Outlook Web Access

Message

Zulan -> How insecure is an Exchange 2003 Front-end server? (14.Jan.2005 10:15:00 AM)
Hello! I am planning to use a Front-End exchange server to publish Outlook Web Access (OWA) to my users over the internet. I have a checkpoint fw-1 firewall and I am planning to put the Front-end server on my DMZ. The front-end Exchange server is a 2003, and the back-end is a 2000. If possible I would like to avoid the extra configuration and cost involving an ISA server but I am still quite concerned about security. I have done some testing and I had to open up these ports from my DMZ to my internal network. From front-end exchange server to back-end exchange server: (My back-end exchange server also acts as backup AD and DNS server) 691 389, tcp and udp for LDAP 3268 88 tcp and udp for Kerberos 135 RPC 443 https 1600 80 http 139 Netbios From Front-end exchange server to primary internal DNS server and AD server. 3268 53 tcp and udp for domain verification I find them to be quite a few and to be honest I feel a little unsecure about opening up so many ports. Is there a better way to do this? What are the risks, are they minor? Am I being paranoid? How did you solve it? Thanks for your input

mark@mvps.org -> RE: How insecure is an Exchange 2003 Front-end server? (17.Jan.2005 8:19:00 PM)
You simply don't put the FE in a DMZ for the very reasons you have discovered. If you want to provide OWA and RPC over HTTPS access from the Internet into your network and can only afford two boxes then put an ISA in a DMZ (in a workgroup and not attached to the domain) The publish the OWA on the mailbox server. You don't actually need an FE, especially if the number of users involved aren't huge.

Page: [1]