What is the difference? (Full Version)

All Forums >> [Microsoft Exchange 2007] >> Secure Messaging



Message

kmfrench -> What is the difference? (27.Jul.2007 1:51:28 PM)

I am trying to figure out the real security difference in a setup where a front-end server is on the DMZ and a back-end server is on the LAN verses a single server being on the DMZ.  It seems like I would have to open all the same ports from the DMZ to the LAN in either setup.  If this is the case then I am assuming the benefit of having the back-end server on the LAN is that the data is safer being stored there than on the DMZ and the fact that you aren't creating unnecessary traffic to and from the DMZ when mailboxes are syncing.

Or is there a better way to secure the exchange server?  We plan to enable OWA for after-hours use of the exchange server.  Also I am trying to avoid a proxy server.

Thank you in advance for any assistance.



John Weber -> RE: What is the difference? (27.Jul.2007 4:19:53 PM)

I have clients that wrestle with this very question.
Basically, youi are faced with two scenarios if you don't want an ISA server:
1.  DMZ the CAS
2.  Leave everything behind the FW.

In #1, you will have to control the flow with the FW.  Access to the CAS will be 25 and 443.  From the DMZ to the AD, you will need to have serious restrictions, but still allow for AD traffic.
In #2, you simply bring only 25 and 443 from outside address to inside address. Do not allow the inside target to be a DC/GC - to many issues, in my mind, with putting a DC on the internet - even if it is only port 25 and 443.
And then harden the servers according to best practice, and monitor/watch it like a hawk.

I prefer #2.  Simpler and cleaner.

-jmw



Henrik Walther -> RE: What is the difference? (28.Jul.2007 4:19:00 AM)

And perhaps I should add that MS recommendations are to put the CAS on the internal network [8D]



kmfrench -> RE: What is the difference? (31.Jul.2007 1:21:46 PM)

Thank you both for the advice.  This is certainly going to be an interesting project depending on how we decide to implement it.

Henrik, am I understanding you correctly that Microsoft recommends option #2 by putting the server on the LAN and only opening ports 25 and 443 to it?

Thanks again for your assistance.



Henrik Walther -> RE: What is the difference? (31.Jul.2007 1:53:23 PM)

Yes thats correct. Only the Edge Transport server role should be deployed in the DMZ.



joggie721 -> RE: What is the difference? (29.Oct.2007 1:51:49 PM)

In general the only benifit to having a server in the DMZ is to allow it to do the "dirty work" outside of your company such as virus scaning and spam blocking.  this will take the load off your exchange server/ internal servers (often times are hosting different apps)  option # is the way to go but for the over kill you could put your email scaning in the dmz.



Jesper Bernle -> RE: What is the difference? (22.Nov.2007 9:37:20 AM)

quote:

ORIGINAL: Henrik Walther

MCA: Messaging Apprentice



Cool. You have my full admiration, maan [;)]



Henrik Walther -> RE: What is the difference? (24.Nov.2007 5:26:52 AM)

Thanks Jesper [8D]

It was indeed a tough journey...



Page: [1]