Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Exchange Server / Design / October 2006

Tip: Looking for answers? Try searching our database.

Exchange 2003 FE in DMZ or Internal LAN

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Gates - 25 Oct 2006 19:05 GMT
I'm trying to figure out which location would be the most secure.  I'm
concerned about all of the holes I need to open in my FW to make this work
in a DMZ.

I'm curious what other people are doing with a FE-BE setup.

Thanks,
Jobe
Reply to this Message
Simon Walsh - 25 Oct 2006 19:21 GMT
Front End server on the LAN and publish with an ISA placed in the DMZ.
That is the best setup

/Simon
> I'm trying to figure out which location would be the most secure.  I'm
> concerned about all of the holes I need to open in my FW to make this work
[quoted text clipped - 4 lines]
> Thanks,
> Jobe
Reply to this Message
Gates - 25 Oct 2006 19:26 GMT
Ok I don't have ISA.  What would you recommend then?

> Front End server on the LAN and publish with an ISA placed in the DMZ.
> That is the best setup
[quoted text clipped - 8 lines]
>> Thanks,
>> Jobe
Reply to this Message
Mark Arnold [MVP] - 25 Oct 2006 19:32 GMT
With or without ISA the FE must not go into the DMZ.
Put the FE on an isolated VLAN and apply network security on the
switches.
Use IPSec to connect the FE to the Exchange and GCs.
Reply to this Message
Gates - 25 Oct 2006 19:59 GMT
Why should it not go in the DMZ because of the swisscheese required for
communications back inside?

> With or without ISA the FE must not go into the DMZ.
> Put the FE on an isolated VLAN and apply network security on the
> switches.
> Use IPSec to connect the FE to the Exchange and GCs.
Reply to this Message
Gates - 25 Oct 2006 20:10 GMT
What's the difference between putting it in a VLAN or a DMZ?

You still have to allow access from the VLAN with an ACL.

Just curious.

> With or without ISA the FE must not go into the DMZ.
> Put the FE on an isolated VLAN and apply network security on the
> switches.
> Use IPSec to connect the FE to the Exchange and GCs.
Reply to this Message
Mark Arnold [MVP] - 26 Oct 2006 12:59 GMT
>What's the difference between putting it in a VLAN or a DMZ?
>
>You still have to allow access from the VLAN with an ACL.
>
>Just curious.

Yes, because of the Swiss Cheese you turn your internal firewall into.
As far as why vlanning and access control goes, that's just another
layer of security to help you control what that FE gets to see. If it
can't speak to anything except the DCs and on certain ports you are
making life just that little bit more of a challenge for the bad boys.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.