FW: Security Suggestion (Exchange 2000) & access to files
From: Jon Gillings (jon@cherry-orchard.com)Date: 05/17/02
- Previous message: Dan Van Derveer: "Re: Slackware or Redhat?"
- Maybe in reply to: Hunt, Jim: "Security Suggestion (Exchange 2000) & access to files"
- Next in thread: Stefan Osterlitz: "Re: Security Suggestion (Exchange 2000) & access to files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jon Gillings" <jon@cherry-orchard.com> To: <security-basics@securityfocus.com> Date: Fri, 17 May 2002 14:50:19 +0100
Ok first you need to promote your server to a DC to install Exchange 2000
because Exchange relies on Active Directory for its user database.
As for the location of the server I would put it ether in your DMZ and have
your clients accessing it through the PIX, or use your web server as an SMTP
gateway. I would not recommend having your server on both your DMZ and your
LAN because, it opens up a route to your internal LAN. I also do not
recommend having it in your LAN for the same reason.
Lastly if you do decide to have it on your internal LAN make sure that it is
installed in a separate forest because Exchange extends your schema
considerably.
I hope this was help full.
Regards
Jon
-----Original Message-----
From: Hunt, Jim [mailto:HuntJ@nwsc.k12.in.us]
Sent: 15 May 2002 13:25
To: security-basics@securityfocus.com
Subject: Security Suggestion (Exchange 2000) & access to files
Here is the scenario I am facing this summer. Please let me know which you
would do and why.
The firewall is a Cisco PIX 515R with a 3 interfaces (LAN, Internet, and
DMZ). A new Microsoft Exchange 2000 Server is being implemented. This
server will be dedicated to doing nothing but running Microsoft Exchange
2000 and providing internal access from the LAN via Outlook. It will NOT be
a domain controller.
Outside access is needed to the mail system to send and receive e-mail.
Outlook Web Access (OWA) is also needed to provide users internally and
externally access to their e-mail.
What is the best scenario to install the system? I see these as the better
possible options. (There are more but I didn't think they had merit or I
have the money ($$$) to do them.)
1.) Place the unit internally (LAN) with one internal IP and do NAT at the
firewall for both the SMTP gateway and OWA. Would (should) I use 1 IP
external (Internet) IP for the SMTP Gateway and another IP for OWA?
2.) The unit could be internal (LAN) with 2 NICs; one NIC to the LAN and one
NIC to the DMZ for Internet access. IP routing would not be enabled.
3.) There is a web server in the DMZ. A 2 Microsoft Exchange Server set up
could be done using the web serer in the DMZ as the SMTP gateway and the OWA
Server. (There isn't money ($$$) for a dedicated server in the DMZ for
Microsoft Exchange and a Microsoft Exchange inside the LAN too.) (Again, IP
routing would not be enabled on the web server. We would need to address
the access back to the LAN using it as well.)
These seem like the best 3 options. What is everyone's thought? Please
only provide productive answers and don't bash Microsoft Exchange or suggest
another product. It just isn't possible. (Been there, done that, and lost
the fight so now I have to move on and implement.)
Jim Hunt
Microsoft Certified Systems Engineer
Northwestern School Corporation
- Previous message: Dan Van Derveer: "Re: Slackware or Redhat?"
- Maybe in reply to: Hunt, Jim: "Security Suggestion (Exchange 2000) & access to files"
- Next in thread: Stefan Osterlitz: "Re: Security Suggestion (Exchange 2000) & access to files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
