PIX and Exchange: best strategy

[sghezzi]

Hello,

we are planning to have Exchange as our internal mail server. At the moment we have an external ISP which acts as mail server as well and each user downloads mail from it.

What is the best strategy?
I can see different solution:

1- we put Exchange inside the PIX and we apply static translation to let users to access to it via Web interface from the Internet. From the inside users will not have to cross the PIX to send/receive emails to/from other internal users.

2- we place Exchange in the DMZ. But in this case From the inside users will have to cross the PIX to send/receive emails to/from other internal users. Or is it maybe possible to split Exchange in two different parts: mail Relay and mail server?

3- On both the previous cases we may decide whether to keep our external provider or not. Then Exchange could download emails from it periodically. On one side it would be maybe better do that we can let external users to access to it via web, and we don't need to open HTTP on PIX. But on the ther hand it is a problem of costs (monthly fee to the provider)


What do you suggest?
Are there some documents showing what is the best strategy?

thanks a lot
regards
Silvia

 

[tbissett]

Everyone has their own theory on the "best" way to do this. Here's mine:

Put the Exchange-OWA Server on the inside. Then, on the DMZ, install a Linux box running Apache with mod_proxy enabled. Set your proxy to forward to the inside Exchange server. This allows you to have a rule on the outside that only permits Internet traffic to the DMZ, and a separate rule that only allows one DMZ host to the inside. If someone were to launch an attack, they would first have to break into the proxy before going after your exchange server. Even if they did get into the proxy, they would only have one port to use to get to Exchange.

In the end, OWA is far from ideal to implement in an Internet environment (Thank You, Microsoft), but the proxy approach at least buys you a little more protection.

 

[br0ck]

configuring SSL on IIS on the OWA server is another suggestion!

you may look into the Exchange 2003 server with the RPC over HTTP feature as well
never used it so your on your own there but looks interesting
you must have E2k3 and Win2k3 with IIS6 to do it

 

[yizhar]

HI.

> Everyone has their own theory on the "best" way to do this.
I agree - you'll probably get many different answers (ask 10 experts and get 20 answers...)

With all possible solutions, there is not a perfect one.
This is because an Exchange server with web access is a target for attacks and if someone hacks such a server (or even gains access to some mailboxes only), it can use it to deploy malicios code to internal users and ...

So whatever network design you choose, you must remember that OS and application level security is most important - using SSL as stated above can be part of it.
Protecting remote access with VPN is also an option.

Another thing to consider is adding a different box to act as mail relay + strong anti virus + spam filter + content filter (for example attachment blocking by extension).
Filtering most of the problems on a mail relay is good because you can configure strong filters at the mail relay, and only basic anti-virus scanning on the Exchange server itself. You also off-load some problems from the Exchange server (for example an Exchange server can fail by a virus even if the anti virus finds it because of the load).

> 1- we put Exchange inside the PIX and we apply static translation to let users to access to it via Web interface from the Internet
This is a common design used by many small offices.
But it is not so secure especially because of the web access directly to internal host.

> 2- we place Exchange in the DMZ
From security point of view, this is a good option, because it prevents direct access to your internal network.
But to do it secure, the Exchange server will be in its own domain and not part of the internal network.
The disadvantages are that it is more difficult to implement and manage, and there are other problems with such design.
If the Exchange server will be only for mail, then you should consider this option - but remember - if you make the Exchange server in DMZ part of the internal network, then it is almost like option 1.
> Are there some documents showing what is the best strategy?
As a side note - you'll find many documents on the Internet about how achieve connectivity over firewalls but many of them will tell you to open dangerous ports like RPC and NETBIOS which my recommendation is *NOT* to follow these articles.

> 3- On both the previous cases we may decide whether to keep our external provider or not.
> Then Exchange could download emails from it periodically.
You have other variants of this option to consider.
If you have only few roaming users that need access from outside, and most of the users need only access from the office, then you can consider the following variants:

* (3a) Keep few mailboxes hosted at ISP for roaming users, configure MX record to point to your Exchange server (or your mail relay server), configure Exchange to forward mail for roaming users to their external account (or use "Out of Office" feature).

* (3b) Same idea as above, but instead of using ISP mailboxes, you implement an additional mail server that will be in DMZ and will serve roaming users from outside. That way the Exchange server in "inside" cannot be accessed from outside.

Both the variants above are not so easy to manage unless you need it for only few roaming users.

Now you have to provide some answers:
How many internal users you have?
How many internal users will need mail access from outside? Do they use their own laptops (that can be configured with VPN)?
How many internal servers?
What pix device you have? How many interfaces? How many in use? What pix OS?
Are you using VPN currently?

My suggestion is like this (but it depends on answers to the above questions):
Exchange server in "inside" (with anti-virus for exchange).
Mail relay server in "DMZ". The mail relay will filter SPAM (now or in future phase), virusses, dangeruos attachments, and relay attacks.
Roaming users will access their mail with either or combination of the following:
* Forwarind to external accoutns (variant 3b above).
* VPN with XAUTH and strong authentication or certificates (The VPN can be restricted to access mail server only and not the whole inside network).
* OWA over SSL with strong authentication of both client and server (client side certificates?).
Open ports in my suggestion are:
Port 25 from the Internet to mail relay in DMZ.
Port 25 from mail relay in DMZ to Exchange server in "inside" (or using poll mode which eliminates the need for open port).
Port 80 via VPN access for roaming users (or other additional ports via VPN if you wish to let them download/synchronize the mail also).

Let us know what you think...


Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar

 

[sghezzi]

Thanks to the both of you for your suggestions.

Here it is more info to discuss about.
...and some more questions ;-)

1- We have around 250 users and more or less 20 of them are traveling and need access to the web
interface.
2- We have to exclude the VPN approach for the moment because we want to ensure web access to emails even
from an Internet cafe'.
3- We have PIX 525 (6.1) with 6 interfaces, 3 of those are not used at the moment.

Since we don't have any experience on Exchange at the moment it has been decide (by the management :-/)
that we will go for an easy solution right now: Exchange inside, interacting with Active Directory and
domain controller, we keep our external ISP mail server so that we open inbound port 25 on PIX only from
that mail server (is it possible to configure Exchange to do polling and initiate the connection from
inside to the ext. mail server instead of having the inbound connection to port 25?). Then we will open
inbound port https on PIX from any to the Exchange server and we will authenticate users on the ISA
server....ah yes, I forgot, we have an ISA server between internal network and PIX so we can already
authenticate roaming users on it, instead of let them arrive on the Exchange.

What do you think about this solution? Is it secure enough for the time being?
Would it be better to put Exchange on the DMZ? But in this case we should open so many ports for let him
communicate with Domain Controller and Active Directory....

Then, for future development, as far as I have understood from your suggestion, I have the following
possible scenarios/questions:

a- We can have a DMZ with Exchange which acts as MR (+ anti-spam and filters..) and keep copies
(mirror??) of the mail boxes of roaming users. So that roaming users can access via https to those
mailboxes, when they travel but still can access to the inside Exchange server when they are in. Is this
possible? Too complex to maintain?

b- DMZ with Exchange which acts as MR (or other products....which ones?), and roaming users access to the
internal Exchange for OWA, being first authenticated on the ISA server or we implement some
application-level-athentication on PIX...is this possible? how?

Questions:

Q1- What kind of MR? If we use the Exchange (I think it is called front-end module) as MR, is it
vulnerable and unsecure? what do we gain?

Q2- What is more dangerous between opening port 25 and HTTPS? If it is port 25 (as I immagine), can we
put the real Exchange mailserver (with all mailboxes) on the DMZ to be accessed via HTTPS and we open the
port 25 only from our ISP (as the management is planning to do now...), or it is better to keep it inside
as I was mentioning at the beginning (due to the cmmunication with Domain Controller and Active
Directory)?

Let me know what do you think

Thanks a lot
Silvia

 

[SirJay]

Definately think an external mail relay with anti-virus/spam will be worth the investment if you have that many users. A properly firewalled 'nix based system will probably be less risky for MR +(anti-bug/spam) as far less vulnerabilities for the platform, and the common MTAs are more mature in development.

For the commercial (supportable) approach, I'm currently using Trend IMSS/eManager which uses postfix as its MTA using its content_filter options to interact with the trend software on the MRs. Haven't seen any other commercial nix products in this space, but i'm sure it can't be the only one.

I also concur that some form of SSL on OWA Server is a good idea. You could always setup the ISA server to 'publish' or Proxy/URL rewrite Webmail from the DMZ into the OWA Server, using the internal authent. I'm sure that MS will recommend this way, as they included this specifically for webmail, sharepoint portal, etc. Like tbissett, I prefer to use Apache/Mod Proxy and firewall rules to answer the SSL side of the connection and just reverse proxy that way (still being able to authent internally that way)

>- We can have a DMZ with Exchange which acts as MR (+ anti->spam and filters..) and keep copies
>(mirror??) of the mail boxes of roaming users. So that >roaming users can access via https to those
>mailboxes, when they travel but still can access to the >inside Exchange server when they are in. Is this
>possible? Too complex to maintain?

To the best of my knowledge, a user must always live on one server, so it's meant to be 'impossible'. I'd suggest that any of the solutions suggested by everyone here would be a lot easier/cheaper/more effective, but you could always try giving them a 'virtual' home server, setting up a clustered exchange server in fail-over, but i'm sure that'll only complicate your firewall matters no end.