RE: Exchange2K/DMZ

From: Fred Hawthorne (fred.hawthorne@msag.com)
Date: 07/11/02


Date: Thu, 11 Jul 2002 15:05:38 -0400
From: "Fred Hawthorne" <fred.hawthorne@msag.com>
To: <gegomez@tycoint.com>

Gene,

What would be the best way to do this with Microsoft W2K SMTP in the DMZ relaying to the E2K inside?

Fred

-----Original Message-----
From: Gene Gomez [mailto:gegomez@tycoint.com]
Sent: Thursday, July 11, 2002 10:18 AM
To: Nicole Tutt
Cc: focus-ms@securityfocus.com
Subject: RE: Exchange2K/DMZ

I'm assuming that by "opening ports for SSL and SMTP" below, you mean HTTPS
(for OWA) and SMTP.
My favorite is setting up a Sendmail bridgehead server in the DMZ. You only
need two services running:
1. Sendmail: Just set this guy up to forward ALL mail into the Exchange
server by punching tcp/25 from the sendmail system to the Exchange system.
2. Port forwarder: You can approach this one of two ways. Either use
stunnel (SSL comes into this system, is decrypted and forwarded in to the
Exchange OWA system) and punch tcp/80 through the firewall from sendmail to
Exchange, or ipchains (packets are SNATed to Exchange OWA and are encrypted
end-to-end) and punch tcp/443 through.
Of course, there are other neat things you can do with this setup. You can
run anti-spam rules on the bridgehead, anti-virus, or whatever you want.

HTH,
Gene

-----Original Message-----
From: Nicole Tutt [mailto:Nicolet@meddata.com]
Sent: Wednesday, July 10, 2002 3:46 PM
To: focus-ms@securityfocus.com
Subject: Exchange2K/DMZ

The LAN Administrator set up an Exchange server and placed it inside the
firewall - opening ports for SSL and SMTP to the Exchange box from the
outside world. I want to move the Exchange services to the DMZ. I'm not
that familiar with Exchange 2k specifically but am used to being able to
split out services from mail servers (IE. put WebAccess and SMTP gateways)
and place vulnerable items in the DMZ or if not place the whole Exchange
server in the DMZ. The LAN admin is concerned because the Exchange server
has to see the domain controller on the inside net. How have others handled
this setup?

Thanks in advance
Nicole



Relevant Pages

  • RE: Webserver on a DMZ still needed?
    ... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ...
    (Security-Basics)
  • Re: Exchange Disaster Recovery Server
    ... The backup server is setup also in the lab so I ... >>> The Microsoft Exchange Server computer is not available. ... >>> Microsoft Exchange Server Information Store ...
    (microsoft.public.exchange2000.admin)
  • RE: Webserver on a DMZ still needed?
    ... OWA server. ... Webserver on a DMZ still needed? ... It is still recommended to have your exchange box (and any other outward ... to interact securely with the Domain Controller on the secure subnet? ...
    (Security-Basics)
  • Re: SendMail to Exchange
    ... I usually prefer to switch the routing before the mailboxes because it ... MVP - Exchange ... For example, your sendmail server is your current production server, ...
    (microsoft.public.exchange.admin)
  • Re: Unable to receive e-mail from particular domain
    ... We've been running an Exchange 2003 server behind NAT for some ... NATted to the Sendmail box. ... it's obvious a Onetel server connects to our ...
    (comp.mail.sendmail)