Re: Mail server inside the network...Safe?



In article <46e70dff$0$10303$815e3792@xxxxxxxxxxxxxx>,
jsmith@xxxxxxxxxxxxxxxx says...
Thank you Leythos for making this clear. The server will go in the LAN
then. We are not using a SBS, rather Server 2003 64-bit with Exchange 2007.

I actually have ordered a Netscreen SSG5 firewall which comes with UTM and
that should block a lot of the stuff.

I've put Exchange servers in the DMZ, when I don't use the normal
Exchange connector for outlook, or when I have a firewall that can
create a connection that is initiated by the LAN user to the DMZ - a
proxy type connection that only allows the DMZ based Email server to
reply back to the LAN users when the lan users contact it first - the
firewall has to handle this.

In all cases, I never put an exchange server or any other DMZ server in
a AD/Domain that has to authenticate with the LAN, never, nada, nope,
don't do it. If the DMZ devices can authenticate (Domain accounts) with
the LAN there is no point in having them in the DMZ.

For secure facilities we do a lot of things one would not really do in a
non-secure facility.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.



Relevant Pages

  • RE: Webserver on a DMZ still needed?
    ... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ...
    (Security-Basics)
  • RE: Webserver on a DMZ still needed?
    ... OWA server. ... Webserver on a DMZ still needed? ... It is still recommended to have your exchange box (and any other outward ... to interact securely with the Domain Controller on the secure subnet? ...
    (Security-Basics)
  • Re: Unable to Receive Email from the internet
    ... Are you running this on Longhorn server? ... Test from outside your firewall: ... Exchange Server 2007: internet email without Edge ... looking at the firewall inbound rules on my LHS. ...
    (microsoft.public.exchange.setup)
  • Re: Unable to join AD domain from DMZ network
    ... To me that points to something outside the machine (Firewall most likely culprit) ... > the captured traffic between the server in DMZ to the DC from internal ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Netzschema
    ... Wenn du den SMTP Server in der DMZ zusätzlich auch als OWA Server verwenden möchtest, bedeutet das zwangsläufig, dass du Exchange installieren musst. ... Insofern braucht der DMZ Exchange auch entsprechende Zugriffe auf das AD. ... Denke an das Regelwerk, das nötig ist, um alleine den Intra-Domain-Traffic zu routen, zusätzlich zu den SMTP und Publishing-Regeln. ...
    (microsoft.public.de.german.isaserver)