RE: Exchange2K/DMZ

From: Renouf, Phillip (prenouf@Mobility.com)
Date: 07/11/02

• Previous message: Seth Mitchell: "RE: Exchange2K/DMZ"
• Maybe in reply to: Nicole Tutt: "Exchange2K/DMZ"
• Next in thread: Frédéric Médery: "Re: Exchange2K/DMZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Renouf, Phillip" <prenouf@Mobility.com>
To: focus-ms@securityfocus.com
Date: Thu, 11 Jul 2002 16:14:06 -0400

I agree with putting an SMTP bridgehead box in the DMZ and relaying all mail
to/from the Exchange SMTP server on the internal network. You can also use
the built-in SMTP server in IIS to do this as long as the load on the
mailserver is not rediculous, but sendmail would be preferable.

As for the port forwarding, I'd suggest setting up an ISA Server in the DMZ
as a proxy only server and use Web Publishing to publish the OWA server and
enable SSL both to the ISA box and between the ISA server and the backend
WebAccess server. With this setup you can also restrict what directories can
be accessed via HTTP on the ISA server. Port forwarding is ok, but I think
the idea of a proxy in between is a bit more secure.

Phil

> I'm assuming that by "opening ports for SSL and SMTP" below,
> you mean HTTPS (for OWA) and SMTP. My favorite is setting up
> a Sendmail bridgehead server in the DMZ. You only need two
> services running:
> 1. Sendmail: Just set this guy up to forward ALL mail into
> the Exchange
> server by punching tcp/25 from the sendmail system to the
> Exchange system.
> 2. Port forwarder: You can approach this one of two ways.
> Either use
> stunnel (SSL comes into this system, is decrypted and
> forwarded in to the Exchange OWA system) and punch tcp/80
> through the firewall from sendmail to Exchange, or ipchains
> (packets are SNATed to Exchange OWA and are encrypted
> end-to-end) and punch tcp/443 through.
> Of course, there are other neat things you can do with this
> setup. You can run anti-spam rules on the bridgehead,
> anti-virus, or whatever you want.

---

• Previous message: Seth Mitchell: "RE: Exchange2K/DMZ"
• Maybe in reply to: Nicole Tutt: "Exchange2K/DMZ"
• Next in thread: Frédéric Médery: "Re: Exchange2K/DMZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Webserver on a DMZ still needed? ... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ... (Security-Basics) Re: Exchange Disaster Recovery Server ... The backup server is setup also in the lab so I ... >>> The Microsoft Exchange Server computer is not available. ... >>> Microsoft Exchange Server Information Store ... (microsoft.public.exchange2000.admin) RE: Webserver on a DMZ still needed? ... OWA server. ... Webserver on a DMZ still needed? ... It is still recommended to have your exchange box (and any other outward ... to interact securely with the Domain Controller on the secure subnet? ... (Security-Basics) Re: Netzschema ... Wenn du den SMTP Server in der DMZ zusätzlich auch als OWA Server verwenden möchtest, bedeutet das zwangsläufig, dass du Exchange installieren musst. ... Insofern braucht der DMZ Exchange auch entsprechende Zugriffe auf das AD. ... Denke an das Regelwerk, das nötig ist, um alleine den Intra-Domain-Traffic zu routen, zusätzlich zu den SMTP und Publishing-Regeln. ... (microsoft.public.de.german.isaserver) RE: internet connection wizard, rerun problem ... The Recipient Policy defines what mail domain Exchange is responsibile for. ... a remote SMTP server. ... |>You can remove the internet domain address from Exchange ... (microsoft.public.windows.server.sbs)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2002-07