RE: [fw-wiz] (no subject)

From: Don Goldstein (Don.Goldstein@CCBUSA.COM)
Date: 11/25/02


From: Don Goldstein <Don.Goldstein@CCBUSA.COM>
To: "'Skip Frizzell'" <skip@blindpanic.com>, deanpullen@yahoo.com, firewall-wizards@honor.icsalabs.com
Date: Mon Nov 25 15:21:32 2002

You can put an outlook web access server in the DMZ and the Exchange server
on your LAN.

-----Original Message-----
From: Skip Frizzell [mailto:skip@blindpanic.com]
Sent: Sunday, November 24, 2002 7:56 AM
To: deanpullen@yahoo.com; firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] (no subject)

rather than putting an exchange server in the DMZ, why not put something
that does
just what you need? there is a lot of unnecessary overhead with exchange
when all
you need is an MTA and a web server.

that way instead of taking an exposed box and making it a member of your
network
you make it a stand alone system (I don't believe you need user accounts
since all
it runs is the web page that connects to the exchange server which is behind
the
firewall). run an MTA such as Sendmail to catch the e-mail (also an
excellent place
to run the antivirus and anti-spam software) and pass it along to the
exchange
server (only SMTP is required, rather than punching all the holes necessary
to make
a domain work across a firewall).

Or you can do it the lazy way that I did and simply forward all the
necessary ports
from your firewall back to the exchange server. Send ports 25 and 80 back to
the
exchange server and you have your functionality without spending the money
on a
server and licenses. of course you give up some security by sending port 80
to the
exchange server, I would still create a second server (not part of the
domain) to
run your IIS on so that you have some protection if IIS gets hacked.

Let us know what you finally decide and how it works.

     -=Skip

> Basically by putting the Exchange server in the LAN we
> can allow Outlook clients various public folder access
> within the LAN, plus a Domain Controller and Exchange
> setup on one machine. By placing the front-end
> Exchange box in the DMZ we can allow a public ip to be
> mapped to the internal exchange box, thus allowing
> STMP mail, HTTP access to a IIS server, and OWA. All
> of which are necessary.
>
> --- Skip Frizzell <skip@blindpanic.com> wrote:
>> Hello Dean, instead of trying to implement the thing
>> that someone told you to do we
>> should first try and figure out what you want to do
>> and discover the best way to do
>> it.
>>
>> What do you hope to accomplish by putting an
>> exchange server in the DMZ?
>>
>> -=Skip
>>
>> > I've basically been told that we require an
>> Exchange
>> > system operated within our DMZ setup. After much
>> > reading I've decided to go for a front-end,
>> back-end
>> > Exhange system, with the Exchange front-end in the
>> DMZ
>> > and the back-end in the LAN. However, even though
>> I've
>> > opened up all the ports specified in MS' white
>> papers
>> > between the DMZ and LAN, I cannot connect to the
>> > domain/active directory from the Front-End server.
>> How
>> > do I go about this? I mean all I am trying at the
>> > moment is to connect to our internal Domain by
>> > accessing the network ID in the My Computer
>> properties
>> > and trying typing in the Domain. Do I have to do
>> > anything else?! Sorry for my amateurishness(!) but
>> > we're a small firm and cannot afford a
>> fully-fledged
>> > exchange specialist, thus I'm doing it!
>>
>>
>>
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Ex2K3 access through firewall
    ... Ex2K3 running on W2K3 sitting on the DMZ'. ... there must be a list of ports that are required to be open to allow this. ... if the client uses OWA as a workaround for the ... but your Exchange server does not belong in a DMZ. ...
    (microsoft.public.exchange.setup)
  • Re: Exchange Server in DMZ
    ... > do I need to open for the server to participate in the local domain ??? ... DMZ and your LAN, not a good thing imho, if possible, I'd suggest ... do as well) and configuring it to forward mail to the Exchange server ...
    (comp.security.firewalls)
  • Re: OK, Im sold on SBS2003 now
    ... >>> talking about a real DMZ with a different network. ... A web server belongs in the DMZ, not in the LAN. ... > An Exchange server, for a single server, works very nicely in the DMZ ...
    (microsoft.public.windows.server.sbs)
  • Re: Best Practices for exposing Exchange to web
    ... >server in the DMZ that handles web access. ... >We are in the process of migrating to Exchange server and I am investigating ... This seems a little scary opening up all these ports ...
    (microsoft.public.exchange.admin)
  • Re: [fw-wiz] (no subject)
    ... rather than putting an exchange server in the DMZ, why not put something that does ... Or you can do it the lazy way that I did and simply forward all the necessary ports ... > within the LAN, plus a Domain Controller and Exchange ...
    (Firewall-Wizards)