RE: Exchange in the DMZ

From: David Sommers (dsommers@dialogmedical.com)
Date: 11/26/02

  • Next message: Dominick Baier: "IIS Log exactly 65.536 bytes ???"
    Date: Tue, 26 Nov 2002 15:05:46 -0500
    From: "David Sommers" <dsommers@dialogmedical.com>
    To: <Matt.Carpenter@alticor.com>
    
    

    But by only allowing SMTP traffic to by proxied back into Exchange, you
    lose a lot of the benefits of Exchange.

    If you want to use OWA securely or access Exchange using Outlook via the
    Internet, read ISA's specs and you'll see that it was built for this.
    ISA is a stateful firewall that also inspects the packets to insure that
    the data flowing over HTTP is indeed OWA related (w/ SSL of course).

    If you honestly wanted to just use SMTP proxy with Exchange, then use
    VPN to tunnel internally and access Exchange via the tunnel or send mail
    using the US Postal Service.

    From Microsoft's web site:

    http://www.microsoft.com/isaserver/techinfo/deployment/ISAandExchange.as
    p
    Configuring and Securing Exchange 2000 Server and Clients
    Read this white paper to learn how ISA Server and Microsoft Exchange
    2000 Server work together to make it possible for you to publish
    internal servers to the Internet without compromising the security of
    your network.

    /David.

    -----Original Message-----
    From: Matt.Carpenter@alticor.com [mailto:Matt.Carpenter@alticor.com]
    Sent: Tuesday, November 26, 2002 1:59 PM
    To: David Sommers
    Cc: Dean Pullen; focus-ms@lists.securityfocus.com; Pidgorny, Slav
    Subject: RE: Exchange in the DMZ

    It is my experience that most enterprise users of groupware (Microsoft
    Exchange, Lotus Notes, Novell GroupWise) typically will front-end their
    mail systems using some Unix MTA such as Postfix or Sendmail. The
    stability and security of these platforms tends to be more reliable than
    an Exchange server. It is my opinion that an Exchange server should
    never be accessible from the outside... ever.

    "David Sommers" <dsommers@dialogmedical.com>
    I agree as well. ISA server has many benefits to using
    front-end/back-end Exchange Servers. Including the fact that you have
    to run Exchange Enterprise as the front-end server, which costs more
    than the Standard version. Plus ISA offers protection to OWA (web
    access) and can provide externally encrypted RPC handling for directly
    connecting Outlook from the Internet to your Exchange server.

    This article provides information on whether or not ISA will benefit
    you.
    http://www.fawcette.com/dotnetmag/2002_12/magazine/columns/maximumexchan
    ge/

    /David.

    -----Original Message-----
    From: Pidgorny, Slav [mailto:slav.pidgorny@anz.com]
    Sent: Monday, November 25, 2002 10:54 PM
    To: Dean Pullen; focus-ms@lists.securityfocus.com
    Subject: RE: Exchange in the DMZ

    Dean,

    Some details about the error messages you have and event log entries
    would be useful. Is there NAT in the picture? Can you resolve DNS names
    on the DNS supporting AD? What about other connectivity (LDAP, LDAP to
    GC, Kerberos over TCP and UDP, CIFS)?

    Try to run Netmon and capture traffic from the front-end server during
    startup. It helps.

    Genarally, I would recommend against Exchange front-end in DMZ because
    too much connectivity is required back to the private intranet. Also I
    think that DMZ should be a separate authentication domain.