RE: Exchange in the DMZ

From: Pidgorny, Slav (slav.pidgorny@anz.com)
Date: 11/26/02

Next message: Dave: "RE: Secure / Encrypt Terminal Services"

Previous message: Palumbo, Dave (Factiva): "RE: Secure / Encrypt Terminal Services"
Maybe in reply to: Dean Pullen: "Exchange in the DMZ"
Next in thread: Welsh, Armand: "RE: Exchange in the DMZ"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 26 Nov 2002 14:53:34 +1100
From: "Pidgorny, Slav" <slav.pidgorny@anz.com>
To: "Dean Pullen" <deanpullen@yahoo.com>, <focus-ms@lists.securityfocus.com>

Dean,

Some details about the error messages you have and event log entries would be useful. Is there NAT in the picture? Can you resolve DNS names on the DNS supporting AD? What about other connectivity (LDAP, LDAP to GC, Kerberos over TCP and UDP, CIFS)?

Try to run Netmon and capture traffic from the front-end server during startup. It helps.

Genarally, I would recommend against Exchange front-end in DMZ because too much connectivity is required back to the private intranet. Also I think that DMZ should be a separate authentication domain.

Regards

Slav

-----Original Message-----
From: Dean Pullen [mailto:deanpullen@yahoo.com]
Sent: Saturday, 23 November 2002 10:01 PM
To: focus-ms@lists.securityfocus.com
Subject: Exchange in the DMZ

Hi guys,

I've basically been told that we require an Exchange
system operated within our DMZ setup. After much
reading I've decided to go for a front-end, back-end
Exhange system, with the Exchange front-end in the DMZ
and the back-end in the LAN. However, even though I've
opened up all the ports specified in MS' white papers
between the DMZ and LAN, I cannot connect to the
domain/active directory from the Front-End server. How
do I go about this? I mean all I am trying at the
moment is to connect to our internal Domain by
accessing the network ID in the My Computer properties
and trying typing in the Domain. Do I have to do
anything else?! Sorry for my amateurishness(!) but
we're a small firm and cannot afford a fully-fledged
exchange specialist, thus I'm doing it!

Thanks in advance.

Dean Pullen.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Next message: Dave: "RE: Secure / Encrypt Terminal Services"
Previous message: Palumbo, Dave (Factiva): "RE: Secure / Encrypt Terminal Services"
Maybe in reply to: Dean Pullen: "Exchange in the DMZ"
Next in thread: Welsh, Armand: "RE: Exchange in the DMZ"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Exchange in the DMZ
... There have been several different Front-End Back-End whitepapers, ... My first question is why do you have to have it in the DMZ, ... I assume you are running Exchange 2000 on Windows 2000 in an AD Domain? ...
(Focus-Microsoft)
Re: Exchange in the DMZ
... After much>reading I've decided to go for a front-end, back-end>Exhange system, with the Exchange front-end in the DMZ>and the back-end in the LAN. ... >Do you Yahoo!? ...
(Focus-Microsoft)
Exchange in the DMZ
... with the Exchange front-end in the DMZ ... and the back-end in the LAN. ...
(Focus-Microsoft)
[fw-wiz] (no subject)
... with the Exchange front-end in the DMZ ... and the back-end in the LAN. ...
(Firewall-Wizards)
Re: Front end exchange 2003 can be SMTP relay?
... >I have exchange 2003 as front end and back end, back end exchange 2003 is on ... >Is any specific configuration required. ... An Exchange Front End in a DMZ isn't best practice but if the security ... is properly configured to resolve DNS names and is permitted outbound ...
(microsoft.public.exchange.admin)