Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exchange in DMZ. Pros & Cons

Status
Not open for further replies.
julesNDC

julesNDC

IS-IT--Management
Dec 2, 2005
81
US
I am in the process of designing a new network. We will have around 300 users.

We will have a couple of DC’s a few file servers, a firewall and... an Exchange server.

The question is should we put the exchange server in the DMZ or not. If some one has gone through the process of figuring out the pros and cons I would greatly appreciate the sharing of the results.

Thanks
 
Sort by date Sort by votes
I can't see why you put something out there unless it was just an FE box connecting to a BE box. In Exchange 2007, you could put and Edge Transport box out there.

But I certainly wouldn't put a box out there that contains mailboxes or PFs.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
I don't want to sound critical but Microsoft has articles on their website relating to this. A little elbow work reading those documents will give you all the information you need.

No need to re-invent the wheel...

 
Upvote 0 Downvote
Hi!
If you are going to have only one Exchange server there is no point to put in the DMZ.
You can see in many design documents that you can put a FE (Front-end) Exchange server in the DMZ which does not host mailboxes. It communicates with a Back-end server located in the internal network.

There have been a lot of discussions on this topic but generally this is not considered a secure approach too. The FE server has to communicate with the Domain Controllers in the internal network so you have to open certain ports on the firewall. The drawback of opening these ports is that in case of compromising the server the intruder can get access to your internal network.

The secure approach is implementing a reverse proxy in the DMZ. Here are the implementations of that solution:

1. Microsoft ISA server on Windows OS.
2. Apache WEB server on Linux or Windows OS.
3. Squid server on Linux OS.

My personal preferences are for the second implementation – Apache on linux configured as reverse proxy. This is a secure, very dependable, free and easy to install and configure implementation.

Using ISA server as reverse proxy is also a very popular implementation and you should consider it if you have an ISA license available and experience with the ISA server of course.

I am afraid that i can not provide you with much info about using Squid as a reverse proxy. You’ll have to research this implementation yourself.

Best Regards,



forum.gif
Dean
 
Upvote 0 Downvote
Ok, let me ask another question guys. Before the question I guess I should tell you a bit more about what I am trying to do… and if I am wrong, please let me know.

My boss what’s to put the Exchange server on the DMZ, because it is more secure for the network.

I believe that with today’s firewalls you can have your exchange inside your network and be safe. No need to go the extra mile and spend money on an additional server and setup costs.

I also believe that no mater where you put your exchange server, if someone really wants to get into your network and if that person has the right software and knowledge, nothing will really stop that person.

So here is the question: DMZ or no DMZ?




 
Upvote 0 Downvote
You should be able to answer the question yourself.
If you are using a reverse HTTPS proxy in the DMZ (that’s the server which will be exposed to the Internet) all the intruder will get is an empty machine – there are no passwords, neither data on that machine.
If the intruder gets to the Exchange server he is inside your network and he has access to your E-mail and AD data.
The machine in the DMZ can be restored in less than 15 minutes (depending on the solution). I am not talking about more sophisticated configurations where you are implementing IDS, IPS, monitoring and locking of the system files etc.




forum.gif
Dean
 
Upvote 0 Downvote
Another thing to consider is, will you be using OWA/OMA? If you will be using OWA, you still could get by with having the server internal with the use of HTTPS and host headers. But, OMA does not work (without an insecure workaround) unless you have an FE server, which I would place in the DMZ.

So, if you'll be using OMA...then yes, I would place and FE server in the DMZ.

You'll also need to consider what standards/policies will you need to conform to. If you are, say...a financial institution, you'll have no choice but to place a FE in the DMZ.

Hope This Helps,

Good Luck!
 
Upvote 0 Downvote
Thank you all for your inputs.

So if I do not need OWA/OMA (we will be using VPN clients to connect back) I can safely stay away from having to use the DMZ?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

S
  • Question
MS Exchange contacts question
Replies
0
Views
236
sdp.Daniele
S
A
  • Locked
  • Question
MS Exchange Setup
Replies
0
Views
315
andreegington
A
T
  • Locked
  • Question
How to use third party mail security gateway to scan internal/inter-domain mails in Exchange On-Premise?
Replies
3
Views
2K
DrB0b
DrB0b
PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
3K
PatrickRoggers
PatrickRoggers
ComputersUnlimited
  • Locked
  • Question
Migrating to Exchange 2019
Replies
0
Views
3K
ComputersUnlimited
ComputersUnlimited

Part and Inventory Search

Sponsor

Back
Top