RE: Exchange in the DMZ
From: David Sommers (dsommers@dialogmedical.com)
Date: 11/26/02
- Previous message: Harris, Ken: "RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)"
- Maybe in reply to: Dean Pullen: "Exchange in the DMZ"
- Next in thread: Rob Wilcox: "RE: Exchange in the DMZ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Nov 2002 15:05:46 -0500 From: "David Sommers" <dsommers@dialogmedical.com> To: <Matt.Carpenter@alticor.com>
But by only allowing SMTP traffic to by proxied back into Exchange, you
lose a lot of the benefits of Exchange.
If you want to use OWA securely or access Exchange using Outlook via the
Internet, read ISA's specs and you'll see that it was built for this.
ISA is a stateful firewall that also inspects the packets to insure that
the data flowing over HTTP is indeed OWA related (w/ SSL of course).
If you honestly wanted to just use SMTP proxy with Exchange, then use
VPN to tunnel internally and access Exchange via the tunnel or send mail
using the US Postal Service.
From Microsoft's web site:
http://www.microsoft.com/isaserver/techinfo/deployment/ISAandExchange.as
p
Configuring and Securing Exchange 2000 Server and Clients
Read this white paper to learn how ISA Server and Microsoft Exchange
2000 Server work together to make it possible for you to publish
internal servers to the Internet without compromising the security of
your network.
/David.
-----Original Message-----
From: Matt.Carpenter@alticor.com [mailto:Matt.Carpenter@alticor.com]
Sent: Tuesday, November 26, 2002 1:59 PM
To: David Sommers
Cc: Dean Pullen; focus-ms@lists.securityfocus.com; Pidgorny, Slav
Subject: RE: Exchange in the DMZ
It is my experience that most enterprise users of groupware (Microsoft
Exchange, Lotus Notes, Novell GroupWise) typically will front-end their
mail systems using some Unix MTA such as Postfix or Sendmail. The
stability and security of these platforms tends to be more reliable than
an Exchange server. It is my opinion that an Exchange server should
never be accessible from the outside... ever.
"David Sommers" <dsommers@dialogmedical.com>
I agree as well. ISA server has many benefits to using
front-end/back-end Exchange Servers. Including the fact that you have
to run Exchange Enterprise as the front-end server, which costs more
than the Standard version. Plus ISA offers protection to OWA (web
access) and can provide externally encrypted RPC handling for directly
connecting Outlook from the Internet to your Exchange server.
This article provides information on whether or not ISA will benefit
you.
http://www.fawcette.com/dotnetmag/2002_12/magazine/columns/maximumexchan
ge/
/David.
-----Original Message-----
From: Pidgorny, Slav [mailto:slav.pidgorny@anz.com]
Sent: Monday, November 25, 2002 10:54 PM
To: Dean Pullen; focus-ms@lists.securityfocus.com
Subject: RE: Exchange in the DMZ
Dean,
Some details about the error messages you have and event log entries
would be useful. Is there NAT in the picture? Can you resolve DNS names
on the DNS supporting AD? What about other connectivity (LDAP, LDAP to
GC, Kerberos over TCP and UDP, CIFS)?
Try to run Netmon and capture traffic from the front-end server during
startup. It helps.
Genarally, I would recommend against Exchange front-end in DMZ because
too much connectivity is required back to the private intranet. Also I
think that DMZ should be a separate authentication domain.
- Next message: Dominick Baier: "IIS Log exactly 65.536 bytes ???"
- Previous message: Harris, Ken: "RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)"
- Maybe in reply to: Dean Pullen: "Exchange in the DMZ"
- Next in thread: Rob Wilcox: "RE: Exchange in the DMZ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
