RE: Exchange in the DMZ

From: David Sommers (
Date: 11/26/02

  • Next message: Dominick Baier: "IIS Log exactly 65.536 bytes ???"
    Date: Tue, 26 Nov 2002 15:05:46 -0500
    From: "David Sommers" <>
    To: <>

    But by only allowing SMTP traffic to by proxied back into Exchange, you
    lose a lot of the benefits of Exchange.

    If you want to use OWA securely or access Exchange using Outlook via the
    Internet, read ISA's specs and you'll see that it was built for this.
    ISA is a stateful firewall that also inspects the packets to insure that
    the data flowing over HTTP is indeed OWA related (w/ SSL of course).

    If you honestly wanted to just use SMTP proxy with Exchange, then use
    VPN to tunnel internally and access Exchange via the tunnel or send mail
    using the US Postal Service.

    From Microsoft's web site:
    Configuring and Securing Exchange 2000 Server and Clients
    Read this white paper to learn how ISA Server and Microsoft Exchange
    2000 Server work together to make it possible for you to publish
    internal servers to the Internet without compromising the security of
    your network.


    -----Original Message-----
    From: []
    Sent: Tuesday, November 26, 2002 1:59 PM
    To: David Sommers
    Cc: Dean Pullen;; Pidgorny, Slav
    Subject: RE: Exchange in the DMZ

    It is my experience that most enterprise users of groupware (Microsoft
    Exchange, Lotus Notes, Novell GroupWise) typically will front-end their
    mail systems using some Unix MTA such as Postfix or Sendmail. The
    stability and security of these platforms tends to be more reliable than
    an Exchange server. It is my opinion that an Exchange server should
    never be accessible from the outside... ever.

    "David Sommers" <>
    I agree as well. ISA server has many benefits to using
    front-end/back-end Exchange Servers. Including the fact that you have
    to run Exchange Enterprise as the front-end server, which costs more
    than the Standard version. Plus ISA offers protection to OWA (web
    access) and can provide externally encrypted RPC handling for directly
    connecting Outlook from the Internet to your Exchange server.

    This article provides information on whether or not ISA will benefit


    -----Original Message-----
    From: Pidgorny, Slav []
    Sent: Monday, November 25, 2002 10:54 PM
    To: Dean Pullen;
    Subject: RE: Exchange in the DMZ


    Some details about the error messages you have and event log entries
    would be useful. Is there NAT in the picture? Can you resolve DNS names
    on the DNS supporting AD? What about other connectivity (LDAP, LDAP to
    GC, Kerberos over TCP and UDP, CIFS)?

    Try to run Netmon and capture traffic from the front-end server during
    startup. It helps.

    Genarally, I would recommend against Exchange front-end in DMZ because
    too much connectivity is required back to the private intranet. Also I
    think that DMZ should be a separate authentication domain.

    Relevant Pages

    • Re: No inbound emails from outside domain
      ... Connecting to directory service on server wct. ... I don't think reinstalling Exchange will help. ... Do you have the ISA firewall client installed? ... On TELNET - it responded with code 220. ...
    • [fw-wiz] Exchange 2003 OWA compromise reached
      ... Thanks to all for your answers to my questions regarding Exchange 2003 OWA. ... Since we also want to move our ftp server onto a separate DMZ away from our ... we will attach the Microsoft ISA server outside interface to the ...
    • RE: Front End/Back End communication
      ... MVP -- ISA Firewalls ... There is no such thing as security perfection. ... single front-end/back-end Exchange Server will find this setup to be ...
    • Re: Exchange Disaster Recovery Server
      ... The backup server is setup also in the lab so I ... >>> The Microsoft Exchange Server computer is not available. ... >>> Microsoft Exchange Server Information Store ...
    • Re: ISA 2004 and Exchange 2003 Error
      ... > I may make my Exchange server the only active directory computer and then ... > have the ISA server only for ISA. ... The System Policy exists on all ISA2004 machine, ...