Exchange 2003 on DMZ?

[sghezzi]

Hello,

we are planning to have Exchange 2003 as our internal mail server. At the moment we have an external ISP which acts as mail server as well and each user downloads mail from it.

What is the best strategy?
I can see different solution:

1- we put Exchange inside the PIX and we apply static translation to let users to access to it via Web interface from the Internet. From the inside users will not have to cross the PIX to send/receive emails to/from other internal users.

2- we place Exchange in the DMZ. But in this case From the inside users will have to cross the PIX to send/receive emails to/from other internal users. Or is it maybe possible to split Exchange in two different parts: mail Relay and mail server?

3- On both the previous cases we may decide whether to keep our external provider or not. Then Exchange could download emails from it periodically. On one side it would be maybe better do that we can let external users to access to it via web, and we don't need to open HTTP on PIX. But on the ther hand it is a problem of costs (monthly fee to the provider)


What do you suggest?
Are there some documents showing what is the best strategy?

thanks a lot
regards
Silvia

 

[gmcdonnell]

Go with #1 if at all possible. It's how Exchange is designed to work. If you put Exchange in the DMZ then you'll have to open up all sorts of ports to communicate between the users, Exchange and Active Directory.

If you feel the need you can always put in an SMTP relay server in the DMZ. It can run Windows server and the IIS SMTP service or be a Linux box running SendMail or other SMTP program.

Gary McDonnell

http://turbogeeks.com