RE: [fw-wiz] (no subject)

From: Don Goldstein (Don.Goldstein@CCBUSA.COM)
Date: 11/25/02

From: Don Goldstein <Don.Goldstein@CCBUSA.COM>
To: "'Skip Frizzell'" <>,,
Date: Mon Nov 25 15:21:32 2002

You can put an outlook web access server in the DMZ and the Exchange server
on your LAN.

-----Original Message-----
From: Skip Frizzell []
Sent: Sunday, November 24, 2002 7:56 AM
Subject: Re: [fw-wiz] (no subject)

rather than putting an exchange server in the DMZ, why not put something
that does
just what you need? there is a lot of unnecessary overhead with exchange
when all
you need is an MTA and a web server.

that way instead of taking an exposed box and making it a member of your
you make it a stand alone system (I don't believe you need user accounts
since all
it runs is the web page that connects to the exchange server which is behind
firewall). run an MTA such as Sendmail to catch the e-mail (also an
excellent place
to run the antivirus and anti-spam software) and pass it along to the
server (only SMTP is required, rather than punching all the holes necessary
to make
a domain work across a firewall).

Or you can do it the lazy way that I did and simply forward all the
necessary ports
from your firewall back to the exchange server. Send ports 25 and 80 back to
exchange server and you have your functionality without spending the money
on a
server and licenses. of course you give up some security by sending port 80
to the
exchange server, I would still create a second server (not part of the
domain) to
run your IIS on so that you have some protection if IIS gets hacked.

Let us know what you finally decide and how it works.


> Basically by putting the Exchange server in the LAN we
> can allow Outlook clients various public folder access
> within the LAN, plus a Domain Controller and Exchange
> setup on one machine. By placing the front-end
> Exchange box in the DMZ we can allow a public ip to be
> mapped to the internal exchange box, thus allowing
> STMP mail, HTTP access to a IIS server, and OWA. All
> of which are necessary.
> --- Skip Frizzell <> wrote:
>> Hello Dean, instead of trying to implement the thing
>> that someone told you to do we
>> should first try and figure out what you want to do
>> and discover the best way to do
>> it.
>> What do you hope to accomplish by putting an
>> exchange server in the DMZ?
>> -=Skip
>> > I've basically been told that we require an
>> Exchange
>> > system operated within our DMZ setup. After much
>> > reading I've decided to go for a front-end,
>> back-end
>> > Exhange system, with the Exchange front-end in the
>> DMZ
>> > and the back-end in the LAN. However, even though
>> I've
>> > opened up all the ports specified in MS' white
>> papers
>> > between the DMZ and LAN, I cannot connect to the
>> > domain/active directory from the Front-End server.
>> How
>> > do I go about this? I mean all I am trying at the
>> > moment is to connect to our internal Domain by
>> > accessing the network ID in the My Computer
>> properties
>> > and trying typing in the Domain. Do I have to do
>> > anything else?! Sorry for my amateurishness(!) but
>> > we're a small firm and cannot afford a
>> fully-fledged
>> > exchange specialist, thus I'm doing it!
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.

firewall-wizards mailing list