 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Exchange Server / Administration / July 2008Exchange Front End Server - put in the DMZ?
What's the general concensus on doing this? It seems to me that if you want your front end to do recipient filtering among other things then it has to have access to active directory data. Your choices then seem to become making it a domain controller, thereby having your entire accounts database replciated out into a less secure network, or you can open up a ton of ports to allow it to communicate with the internal network. Seems like it could almost make you less secure, rather than more. Is an Exchange front end server on the DMZ a good or a bad idea, and if a bad one, what's a better alternative if you're looking for it to handle inbound mail as well as OWA? For my specific implementation we're using Exchange 2003. Thanks! Phil > What's the general concensus on doing this? It seems to me that if you > want your front end to do recipient filtering among other things then it [quoted text clipped - 13 lines] > > Phil Generally considered a bad idea these days, since you need to put so many holes in the firewall in between. You may as well just let the http traffic in to your server, since MS has IIS pretty well locked down nowadays. In addition to SMTP, of course. Lee.  Signature______________________________________ Outlook Web Access For PDA , OWA For WAP www.leederbyshire.com email a@t leederbyshire d.0.t c.0.m ______________________________________ The current recommendation is Front End server in the production network with an Application Layer Firewall in the DMZ in front of it. Of course Microsft recomends ISA and it's is probably the best choice. A lot of people try and skimp on the firewall and try and get away with port filtering only. Probably not a good idea since you will be accessing internal resources from the cloud. http://technet.microsoft.com/en-us/library/bb123753(EXCHG.65).aspx http://technet.microsoft.com/en-us/library/bb123580(EXCHG.65).aspx > What's the general concensus on doing this? It seems to me that if you want > your front end to do recipient filtering among other things then it has to [quoted text clipped - 13 lines] > > Phil Still the same; not recommended. "We do not recommend placing an Exchange front-end server in a perimeter network because it is not designed to be a security context, and it requires extensive connectivity to Active Directory and the Exchange back-end servers." Application Layer Firewall protection for Exchange Server 2003 with ISA Server 2004 http://technet.microsoft.com/en-us/library/cc713326.aspx James Chong (MVP) MCITP | EMA; MCSE | M+, S+, Security+, Project+, ITIL msexchangetips.blogspot.com On Jul 31, 9:01 am, "Phil McNeill" <philmcne...@REMOVETEXTINCAPShydroottawa.com> wrote: > What's the general concensus on doing this? It seems to me that if you want > your front end to do recipient filtering among other things then it has to [quoted text clipped - 13 lines] > > Phil Thanks for the responses everyone. Pretty much what I expected, but now it's not just me saying it. ;) Thanks > What's the general concensus on doing this? It seems to me that if you > want your front end to do recipient filtering among other things then it [quoted text clipped - 13 lines] > > Phil |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.