DMZ vs. Internal

[LoJACK]

Hello,

I was just wondering... is it better to put your email server on the DMZ instead of the internal network?

I also thought that it was better and more secure for your internal if the mail server was on the DMZ... I was asking a friend and he told me that he has his email server on the internal network...

and is there an advantage of have one mail server on the DMZ and one mail server on the internal network?

thanx in advanced,
LoJACK



Thanks,
LoJACK

 

[deeno]

I suggest this link:

http://www.microsoft.com/downloads/...FamilyID=AFAD8426-572E-40F8-99DA-EB7198F374C4

Download the document and check it out. It runs through some different scenarios in chapter 3. This book applies to Exchange 2000 but the principles are the same in 2003.

It is possible that your friend is using an ISA in the DMZ that is forwarding requests to an internal exchange server. If configured correctly, this would be very secure. Check out the link...

 

[LoJACK]

cool... thanx for the link



Thanks,
LoJACK

 

[jrbmcse1]

Hi,

Your mail server should not reside in the dmz, only the smpt redirector, this does not actually have to be exchange! Servers hosted by the DMZ should not be a member of your domain either, either a seperate domain (no trusts) or workgroups.

jrb
MCSE, MCSA, MCP

 

[stevedeb]

What about a front end server in the DMZ? This scenario is given by Microsoft. In that case wouldn't it have to be a domain member? Forgive me if this is a dumb question, I am new to IT/Exchange.

 

[amorielljr]

Your mailbox exchange server should never be on the DMZ, it should only sit on the internal network. Use SMTP gatways/firewalls that sit on the DMZ to relay the mail (I personally like Mail Essentials by GFI, but anyone will do).

As far as the front end exhange server, I would keep that off of the DMZ too. What is suggested is that you use ISA 2000 as a secondary firewall on your DMZ (one NIC on the DMZ and one on the internal network). Use server publishing or web publishing to publish out either OWA or RPC over HTTP.

As far as ISA 2000, I would only use that as a secondary firewall for web or server publishing and leave the primary firewalling to Checkpoint or Cisco. Personally I would never expose any exchange box directly to the outside world, Microsoft is not known for it's security.

 

[xmsre]

In many FE/BE scenarios, the Front end server does reside in the DMZ. The backend server with the mailboxes resides on the internal network. That's one scenerio. If ISA is the firewall on the back side, you can publish OWA so that it appears to be in the DMZ. That's another scenario. If you only have a single server, you would put it in the internal network and only open 443 and 25 to it. In any scenario, the mailboxes should reside on the internal network.

 

[tom11011]

Why use a dmz at all? Can anyone give any specific example of a vulnerability?

Why not just have the exchange server on your lan, behind a firewall? Just open 25 to it and if necessary 110 and 80?

 

[stevedeb]

How does the info get to the Internet to the LAN?

Static NAT entry in firewall from public address to private?

 

[tom11011]

Sure, you can use nat if you want. Up to you.

 

[stevedeb]

To: TOM11011

My problem when I tried NAT was this:

For a client computer on the same subnet as the NATed Exchange server (192.168.0.0) all was fine. Howerver, when I triend to connect to Exchange from a client on another routed net (192.168.1.0) I could not. A few pings later and I found out that my router (I am doing NAT in the router, not FW) would reply to private network pings from another interface on the same router with the public address, not the private. Is this a shortcoming of the router's sw or is this supposed to happen? I thought that NAT would only apply if the routing was taking place through the interface that NAT was applied to. In my case when I set a static translation it applies to any packet that passes from 1 interface to another or even between virtal interfaces of the same physical interface. This causes outlook clients not to work. They send packets to internal address and get response from external. Very confusing for the poor client. To resolve I put 2 NIC in Exchange server. One with the external adress and one with the internal. Was this wrong??? Is my router not working properly??? Is this way outside the realm of this forum???

 

[tom11011]

Right off the bat, my first instinct says not too use 2 nics in the exchange server - I don't think windows can route intelligently. I've tried before to use 2 network cards with 2 routers, a disaster, traffic all over the place.

In the exchange config in outlook, if you are using a netbios machine name to point to your exchange server, don't do that, netbios names will give you issues accross networks unless you are running wins (but who the heck wants to do that if they don't need to). Instead, use the ip address of the server or it's fully qualified domain name (the active directory domain name that is).

 

[xmsre]

You put rules in the firewall to redirect the desired port to the NAT'd internal address. A multihomed server defeates the purpose of having a firewall. A firewall is a multihomed device the filters/statefully inspects all packets traveling across it.