Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Deploying Exchange in and demo environment
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Deploying Exchange in and demo environment - 17.Mar.2007 8:55:10 AM
|
|
|
masterscheef
Posts: 4
Joined: 17.Mar.2007
Status: offline
|
Hi, i'm making a demonstration environment for my company. I want to deploy Exchange 2007 for mail en unified messaging in combination with a IP-telefony environment. From outside the netwerk the owa and ova must be accessible but i don't know how i can do that. From the inside everything must be accessible.
My network looks like this:
internal --------- Three-legged DMZ ------- external
I don't have ISA server. I just use a router with firewall capabilities. I want to use as less servers possible but still make the environment secure enough for a demonstration network for customers. How must i deploy my servers? i thought edge transport in DMZ and the other roles in the internal. But is it than possible to access owa from the outside without i put my inside network to danger? I also want to make use of vmware to deploy my servers because the environment will be used also as a test environment, so if there is a demonstration they can mount fast the image and run it. I thought of 1 server with two nic's one in the internal and one in the DMZ will this bring extra security issues, i think not because the servers will be in other networks and will only communicate through the router.For the environment there only will be created a couple of users max 10. Can you help me how i can deploy this, and give me some suggestions.
Many thanks
|
|
|
|
|
RE: Deploying Exchange in and demo environment - 18.Mar.2007 10:36:55 AM
|
|
|
Henrik Walther
Posts: 6928
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
Since all roles, except the Edge Transport server role, can be installed on the same server, you could have this up an running by using one single VMWare guest. All roles except the Edge Transport server role should be located on the internal network.
_____________________________
HTH
Henrik Walther
Lead Moderator/author
MSExchange.org
Follow me on Twitter!
|
|
|
|
|
RE: Deploying Exchange in and demo environment - 18.Mar.2007 2:00:21 PM
|
|
|
masterscheef
Posts: 4
Joined: 17.Mar.2007
Status: offline
|
Ok but what setup i must make to deploy exchange secure with owa and ova access for external users. I mean which server role must be in the DMZ for this to happen?
|
|
|
|
|
RE: Deploying Exchange in and demo environment - 18.Mar.2007 4:05:50 PM
|
|
|
Henrik Walther
Posts: 6928
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
No E2K7 server roles, except the Edge Transport, should be deployed in the DMZ. The Client Access server, which is the one which proxies OWA, OVA etc. to the Mailbox and Unified Messaging server roles should also be located on the internal network.
Best practice is to publish the E2K7 roles using an ISA Server in the DMZ though.
_____________________________
HTH
Henrik Walther
Lead Moderator/author
MSExchange.org
Follow me on Twitter!
|
|
|
|
|
RE: Deploying Exchange in and demo environment - 19.Mar.2007 5:29:01 AM
|
|
|
masterscheef
Posts: 4
Joined: 17.Mar.2007
Status: offline
|
What is effectively the result of putting an isa server in the DMZ? Do i have to open less ports then when a i put only a exchange server in the lan? or what is technically the worth of using a ISA in my DMZ? Because i don't want to make a server publicly available in my internal lan. I hope you can tell me why is should choose for a isa in the DMZ what are the pro's and con's against putting only a exchange 2007 in the internal lan directly to internet/ putting the exchange edge in dmz and the rest of the roles internal.
Greetings
< Message edited by masterscheef -- 19.Mar.2007 5:37:29 AM >
|
|
|
|
|
RE: Deploying Exchange in and demo environment - 19.Mar.2007 7:46:32 AM
|
|
|
Henrik Walther
Posts: 6928
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
Well the purpose of ISA Server is primarily to publish the Exchange protocols/services in the most secure way possible.
If it's only for demo purposes, you could also just open the ports to the servers located directly on the internal network.
_____________________________
HTH
Henrik Walther
Lead Moderator/author
MSExchange.org
Follow me on Twitter!
|
|
|
|
|
RE: Deploying Exchange in and demo environment - 19.Mar.2007 6:27:28 PM
|
|
|
masterscheef
Posts: 4
Joined: 17.Mar.2007
Status: offline
|
ok, i understand that. But which security risks do i have when i just open the ports?Is there no middle way because i don't need it to be as secure with ISA because it means that my demonstration IP-telefonie network will be harder to setup. But i don't want to publish my internal server. So is there no middle way in this so that i have security with out the need of a ISA server? Also i read that transport edge needs two nic's but is it also possible if i use one nic, because my DMZ is three-legged router? And isnt it more secure when i use edge transport then when i directly connect my internal exchange server? Or does the transport edge not provide security on external connection level?
greetings
|
|
|
|
|
RE: Deploying Exchange in and demo environment - 20.Mar.2007 2:54:19 AM
|
|
|
Henrik Walther
Posts: 6928
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
You should be fine with a Edge Transport server with one NIC too. The security is still good.
I don't really know what the middle way should be, if you don't have a reverse proxy firewall in your DMZ. But as mentioned you can just skip the ISA Server if this is a non-production environment.
As long as you at least use SSL, it should be ok for this purpose.
_____________________________
HTH
Henrik Walther
Lead Moderator/author
MSExchange.org
Follow me on Twitter!
|
|
|
|
|
RE: Deploying Exchange in and demo environment - 20.Mar.2007 4:48:16 AM
|
|
|
BeTaCam
Posts: 423
Joined: 24.Feb.2003
From: India
Status: offline
|
Hi
Couple of quick pointers.
1. The ISA Server required ?
It is recomended to use a ISA Server (2006) to publish the Exchange Traffic via SSL. From the internet, you will open only port 443 to the ISA Server.
In this environment however you would have to NAT your public IP on port 443 to the Client Access server role. so, why dont you have 2 servers here, 1 Client Access Server and 1 Mailbox Server ? ( in case you are virtualizing, it's easier to setup additional boxes).
Install the CAS Server and NAT from your router to the CAS Server to listen only on port 443. ?
2. What to Place in the DMZ ?
Only the Edge Transport Server needs to be placed in the DMZ. The rest of the server roles ( Client Access server, Hub Transport Server , Mail box server roles) should reside in the corporate network.
The Edge server should have 2 NIC's Ideally. The network ports that needs to be opened are as follows.
- External (public facing) NIC - Allow only TCP 25 from Internet.
- Internal ( Connects to AD and Exchange) - Allow TCP 25 / TCP 50636 / TCP 50389 / TCP 3389
HTH
BC.
|
|
|
|
|
RE: Deploying Exchange in and demo environment - 21.Mar.2007 1:14:29 PM
|
|
|
DrShinder
Posts: 41
Joined: 25.Jul.2006
Status: offline
|
The fact is that the ISA Firewall doesn't need, no do I recommend, that the ISA Firewall be placed in a DMZ. The ISA Firewall was designed as an edge firewall, and has a superior security history than any other firewall on the market today (that is to say, NO security incidents on www.secunia.com).
I don't know why people state that the ISA Firewall should be "in a DMZ".
HTH,
Tom
Thomas W. Shinder
MVP -- ISA Firewalls.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
