RE: Exchange2K/DMZFrom: Fred Hawthorne (email@example.com)
- Previous message: Evan Mann: "RE: New XP-AutoUpdate"
- Maybe in reply to: Nicole Tutt: "Exchange2K/DMZ"
- Next in thread: firstname.lastname@example.org: "Re: Exchange2K/DMZ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Jul 2002 15:05:38 -0400 From: "Fred Hawthorne" <email@example.com> To: <firstname.lastname@example.org>
What would be the best way to do this with Microsoft W2K SMTP in the DMZ relaying to the E2K inside?
I'm assuming that by "opening ports for SSL and SMTP" below, you mean HTTPS
(for OWA) and SMTP.
My favorite is setting up a Sendmail bridgehead server in the DMZ. You only
need two services running:
1. Sendmail: Just set this guy up to forward ALL mail into the Exchange
server by punching tcp/25 from the sendmail system to the Exchange system.
2. Port forwarder: You can approach this one of two ways. Either use
stunnel (SSL comes into this system, is decrypted and forwarded in to the
Exchange OWA system) and punch tcp/80 through the firewall from sendmail to
Exchange, or ipchains (packets are SNATed to Exchange OWA and are encrypted
end-to-end) and punch tcp/443 through.
Of course, there are other neat things you can do with this setup. You can
run anti-spam rules on the bridgehead, anti-virus, or whatever you want.
The LAN Administrator set up an Exchange server and placed it inside the
firewall - opening ports for SSL and SMTP to the Exchange box from the
outside world. I want to move the Exchange services to the DMZ. I'm not
that familiar with Exchange 2k specifically but am used to being able to
split out services from mail servers (IE. put WebAccess and SMTP gateways)
and place vulnerable items in the DMZ or if not place the whole Exchange
server in the DMZ. The LAN admin is concerned because the Exchange server
has to see the domain controller on the inside net. How have others handled
Thanks in advance