Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DMZ web server and email server

Status
Not open for further replies.
seands

seands

Technical User
Sep 26, 2001
21
GB
Hi All

Need some advice on which is best?

We've got a PIX515 with outside/inside/dmz setup. At present We've got a web server setup on DMZ which accesses a sql server on INSIDE for data for web pages, this has been penetration tested and okay.

Our email server is on the INSIDE and I want to use SMTP for receiving mail (as we're using POP3 at the moment and need to change to SMTP)

Is it best to keep the email server on INSIDE and setup a SMTP server in the DMZ or move the email server to the DMZ? or is there a beter solution? We have about 60 users setup for email. I also what to have Outlook Web Access running at a later date to, which means the server will need to access to PDC for authentication. We are using MS Exchange 5.5 with Outlook 2000. I'm not worried about the work involved just need to know which is best/secure?

Also our email host has said I just need the email server with a public ip address, and they will just forward our mail to that address, which seems nice and easy.

Thanks
Sean
 
Sort by date Sort by votes
I would multihome the exchange server so that internally clients access it via the "inside" network, and SMTP/POP3 is access via the "dmz" network. Just make sure you have IP routing disabled on the server, and that you have a sufficient access-list protecting the "dmz" network.
 
Upvote 0 Downvote
seands,

I am kinda of interested on how your implementation was done for the 1 WEbserver on the DMZ to the SQL on the inside.

I was trying to do something alittle simular:

DMZ WEBServers
10.1.10.3
10.1.10.4

to talk to 1 SQL 192.168.10.3 on the inside via port 1433.
Do you also POP3 out from the Webservers of client notification as that is my senario? I am interested it that as well.

Any thought would be appreciated.
 
Upvote 0 Downvote
HI.

I think that multihoming the mail server is not a good idea.
What's the benefit of it?
If the server is hacked, for example a hacker installes trojan horse on the server using port 80 or an email sent to the administrator. It now has access both to the server and from it to all the internal network.
Disabling ip routing will have no effect on programs running on the server itself.

There are many different solutions to your requirements.
One option you can consider is this:
Install a mail server on DMZ which will have 2 functions:
* Will forward incoming emails to the internal server (traditional mail relay server).
* Will have mailboxes for specific roaming users (sales and management personal for example), and will provide web, pop3 or other access for those users. The internal mail server will forward a copy of messages for those users to the DMZ server.
This can be done with additional Exchange server or any other mail server that provides web access like NIMS from Novell ( or many other.
Advantages:
+ It is more secure then solutions that provide direct access to the "real" mail server. In any case your internal server and its data is not exposed to attacks that way.
Disadvantages:
- You have duplicate mailboxes for roaming users, which can make things more complicated.
- The duplicated mailbox on DMZ will not have all information for example calendar.
BTW - I have never yet tried such solution in production...
This is a similar idea as simply using "out of the office" on a workstation and forwarding to external mail server.

Another solution to consider is to allow access (OWA,POP3,IMAP,MAPI) to the mail server, using VPN.
Like any other solution it is not perfect - the VPN should also be considered a hole in your firewall and not a totaly secured solution, and it cannot be used from Internet coffee and not from any Internet connection. However using the Cisco VPN client with XAUTH is quite secure.
This works fine for several of my clients, and they can also synchronize their Outlook to work offline.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Hi HUANGDI

This is just a reply to your posting. I've just copied this from a email from CISCO.

Problem Description: We have a PIX515 with a DMZ which has a web server in this location. We have a SQL server on the inside interface of the PIX. The web server on the DMZ needs to get information from the SQL database. Are there any diagrams for this setup or similar to help me program the PIX

Sean,
inside security level 100
dmz secrutiy level 50
outside security level 0

For lower security to access a higher security, you will need to do a static translation and then use access-list to allow them in.
DMZ TO ACCESS INSIDE HOST: (Here we translate SQL ip to itself then use access-list to permit source (websvr) to destination (SQL) and apply it to the dmz interface.
static (inside, dmz) <SQLip> <SQLip>
access-list acl-dmz permit ip host <websvrip> host <SQLip>
access-group acl-dmz in interface dmz

INSIDE TO OUTSIDE using interface, USING PAT:
nat (inside) 1 0.0.0.0 0.0.0.0
global (inside) 1 interface

GOOD LINK TO READ:
USING NAT, GLOBAL, STATIC, CONDUIT, AND ACCESS-LIST
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
301
Johnkite
Johnkite
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
85
Russtoleum
Russtoleum
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
245
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
207
Nitta84
Nitta84

Part and Inventory Search

Sponsor

Back
Top