Configuring DMZ

[CSlack]

I currently have a PIX 520 ver 4.2 firewall on my network. I am now having to manage it and no little about it. I have a few questions. The inside address of my PIX is the same network my PC's are on, I have a DMZ created and that is on another network. At this time the DMZ is not in use. I want to put an exchange server on the network and also on that same server be running IIS. Do I put this server on the DMZ or on the inside of the PIX? Here is a stupid question as far as physical connections. I have ethernet2 setup as the DMZ do I plug a crossover cable into that port then into the hub in which I want to hang my server off of? Also, would my internal network be able to see the DMZ, since I need my users to get internal mail off of. Does anyone have a sample configuration that will help or any ideas? Thanks

Christian

 

[testing]

Look at Microsoft articles:
Q270065
Q264035

Exchange needs to use ports 1024 - 65535 to give your client workstations mail notification.

 

[Reaper36]

Cant answer all of your questions bit here goes for a couple of them....

I would be tempted to put the exchange server on the inside with your LAN. This would be a lot easier than configuring your PIX with the necessary NAT's, Globals and/or statics, conduits needed to allow access. Also of course the inside interface has a security level of 100, this being the highest. Also bear in mind the PIX has 'Mailguard' built in which provides a 'safe' conduit on inside networks which helps guard against some security probs associated with mail server implementation.

If you decide that you still wish to use your dmz to host your mail server then you will have to set up either static and/or conduits or preferably NAT and/or Global statements in your config. Precise details on which ports you will be using will also have to be in there.

Regards,

Paul