RE: Exchange in the DMZ
From: Amarante, Rodrigo P. (RPAmarante@directvla.com)
Date: 11/26/02
- Previous message: Rob Wilcox: "RE: Exchange in the DMZ"
- Maybe in reply to: Dean Pullen: "Exchange in the DMZ"
- Next in thread: NetFilter: "Re: Exchange in the DMZ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Nov 2002 13:17:31 -0500 From: "Amarante, Rodrigo P." <RPAmarante@directvla.com> To: "Miguel Duarte" <miguelduarte@Investec.pt>
Miguel,
Is the front-end server configured to use the DNS Server authoritative
for the Domain zone? You can test that by trying to ping the FQDN
(server.domain.com) of the Domain Controller/Global Catalog from the
front-end. If you can resolve the names to an IP address, then your
problem should be with translation (I don't know what kind of firewall
you're using so I can't comment on that). However if you can't resolve
the IPs, make sure you configure the front-end's resolver to use the DNS
Server authoritative for the domain zone. That's a must because in order
to connect to the back-end,
The front-end must first find a global catalog for the Domain specified
by the user (DNS query to DNS Server configured in resolver - port 53),
front-end must authenticate the user (LDAP to GC - port 3268), Then find
out where is the user's mailbox located (LDAP to GC - port 3268)
And finally proxy the requests to the back-end (HTTP to BE - port 80).
Don't forget that you also need RPC connectivity between the front-end
and the Global Catalog....
Hope this helps,
Rodrigo Amarante
-----Original Message-----
From: Miguel Duarte [mailto:miguelduarte@Investec.pt]
Sent: Tuesday, November 26, 2002 5:12 AM
To: Dean Pullen
Cc: focus-ms@lists.securityfocus.com
Subject: RE: Exchange in the DMZ
What kind of firewall are you using?
I've actually managed to make it work but with a few quirks.
I have the frontend server on a Cisco PIX interface with a different
subnet from the LAN. I had to create address mappings (statics) of each
DC in the domain pointing to an IP address within the DMZ. Then create
DNS records of the DCs pointing to the new addresses (note that I cant
keep the new DNS record for the DNS server, because it hasn't any
interface with that address).
Last make sure that the frontend server can reach the inner servers
(ping, SMTP, etc).
I hope I was at least a little clear...
Miguel Duarte
-----Original Message-----
From: Dean Pullen [mailto:deanpullen@yahoo.com]
Sent: Sat 11/23/2002 11:00 AM
To: focus-ms@lists.securityfocus.com
Cc:
Subject: Exchange in the DMZ
Hi guys,
I've basically been told that we require an Exchange
system operated within our DMZ setup. After much
reading I've decided to go for a front-end, back-end
Exhange system, with the Exchange front-end in the DMZ
and the back-end in the LAN. However, even though I've
opened up all the ports specified in MS' white papers
between the DMZ and LAN, I cannot connect to the
domain/active directory from the Front-End server. How
do I go about this? I mean all I am trying at the
moment is to connect to our internal Domain by
accessing the network ID in the My Computer properties
and trying typing in the Domain. Do I have to do
anything else?! Sorry for my amateurishness(!) but
we're a small firm and cannot afford a fully-fledged
exchange specialist, thus I'm doing it!
Thanks in advance.
Dean Pullen.
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
- Next message: Brian W. Spolarich: "RE: Secure / Encrypt Terminal Services"
- Previous message: Rob Wilcox: "RE: Exchange in the DMZ"
- Maybe in reply to: Dean Pullen: "Exchange in the DMZ"
- Next in thread: NetFilter: "Re: Exchange in the DMZ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
