Security Suggestion (Exchange 2000) & access to files

From: Hunt, Jim (HuntJ@nwsc.k12.in.us)
Date: 05/15/02 

From: "Hunt, Jim" <HuntJ@nwsc.k12.in.us>
To: security-basics@securityfocus.com
Date: Wed, 15 May 2002 07:25:11 -0500

Here is the scenario I am facing this summer. Please let me know which you
would do and why.

The firewall is a Cisco PIX 515R with a 3 interfaces (LAN, Internet, and
DMZ). A new Microsoft Exchange 2000 Server is being implemented. This
server will be dedicated to doing nothing but running Microsoft Exchange
2000 and providing internal access from the LAN via Outlook. It will NOT be
a domain controller.

Outside access is needed to the mail system to send and receive e-mail.
Outlook Web Access (OWA) is also needed to provide users internally and
externally access to their e-mail.

What is the best scenario to install the system? I see these as the better
possible options. (There are more but I didn't think they had merit or I
have the money ($$$) to do them.)

1.) Place the unit internally (LAN) with one internal IP and do NAT at the
firewall for both the SMTP gateway and OWA. Would (should) I use 1 IP
external (Internet) IP for the SMTP Gateway and another IP for OWA?

2.) The unit could be internal (LAN) with 2 NICs; one NIC to the LAN and one
NIC to the DMZ for Internet access. IP routing would not be enabled.

3.) There is a web server in the DMZ. A 2 Microsoft Exchange Server set up
could be done using the web serer in the DMZ as the SMTP gateway and the OWA
Server. (There isn't money ($$$) for a dedicated server in the DMZ for
Microsoft Exchange and a Microsoft Exchange inside the LAN too.) (Again, IP
routing would not be enabled on the web server. We would need to address
the access back to the LAN using it as well.)

These seem like the best 3 options. What is everyone's thought? Please
only provide productive answers and don't bash Microsoft Exchange or suggest
another product. It just isn't possible. (Been there, done that, and lost
the fight so now I have to move on and implement.)

Jim Hunt
Microsoft Certified Systems Engineer
Northwestern School Corporation

Relevant Pages

  • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
    ... NAT, and the DMZ, since it's already secured, is a good place to tack ... If the "company" is not offering services to the Internet, ... and connections to the internal LAN should ... be by means of a second interface on the server. ...
    (comp.security.firewalls)
  • Re: Man gets nine years for spamming
    ... > I don't think we've ever had web access. ... > connect to an inner server where you logged in and actually did stuff. ... We have 12 DMZ interfaces. ... the DMZs and in between the Internet routers and the first ...
    (alt.computer.security)
  • Re: Prividing Intranet Website Access To External Users
    ... I really wouldnt like to be having my company intranet on the ... I would probably integrate the ldap/dc as a security server on the ... >> The web server will be in the DMZ, and only port 443 will be ... >> intranets to the internet in a secure manner. ...
    (Security-Basics)
  • Re: front-end OWA server
    ... The OWA server sits on the DMZ with an internal address off 192.168.100.xxx ... from the internet. ...
    (microsoft.public.exchange.misc)
  • Re: front-end OWA server
    ... The OWA server sits on the DMZ with an internal address off 192.168.100.xxx ... from the internet. ...
    (microsoft.public.exchange.admin)