Link to home
Start Free TrialLog in
Avatar of bbanis2k
bbanis2k

asked on

Exchange 2003 front-end on DMZ

Hello,

I have an Exchange 2003 front-end server that will be going on my DMZ, will be accessed from the outside for outlook web access and needs to communicate with my internal domain controllers and the back-end Exchange 2003 server.

Does anybody know which ports need to be opened on my firewall?

Thx
BBanis2K
ASKER CERTIFIED SOLUTION
Avatar of cjpalmer
cjpalmer
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bbanis2k
bbanis2k

ASKER

For some reason I don't think IPSEC will be an option.  Simply because all traffic will allowed between the two hosts....
Any particular reason why you want to put an Exchange server in the DMZ? Think it is going to increase your network security? Think again. No one has given me a good reason to put a domain member in the DMZ.
To quote a leading Exchange MVP, "There are NO valid reasons to put an Exchange server in the DMZ".
The number of compromises to the network security make the entire practise pointless.

My personal stance on Exchange in the DMZ is well documented, do a search if you want to see my reasons.
Here is one that I have been dealing with just this week: https://www.experts-exchange.com/questions/21256625/Possible-placement-of-OWA-on-DMZ-of-Pix-515E.html

Simon.
I think it is pretty dumb too.  You essentially have to open it up for the same functionality as
if it were on the inside....so it might as well be.

Our top engineer is a jerk and is calling it being on the inside network a breach of security.

Everywhere I worked in the past had OWA on the inside network, then I get here and they make a big stink about it....
If they are making so much noise about it then ask for documented proof. I actually walked out of a client who demanded I do it that way and wouldn't provide reasons because they were not listening to me.
If there is anything else in the DMZ that provides a route in to your domain.

The way I work is minimum ports open to my internal network. I don't care whether that is from DMZ or Internet.
If there is still paranoia about having it open to the Internet, then offer 443 only (HTTPS) then propose a relay server for SMTP traffic. A Windows 2003 machine (in a workgroup) makes a very good relay server.

Simon.
You can also install SPAM and Virus management software on your relay to minimize the amount of messages that make it through to the "juicy center". Though, some of the SPAM management tools require LDAP access into the domain to check for valid email addresses...

Charles
Inbound mail relays through a SPAM firewall and then gets forwarded to Exchange...
I join the stance on network security here. don't open what you do not need. However true, having a frontend server in the DMZ can be a viable option, only a couple of requirements to make it really secure (mutlihomed so internal and external is physically seperate and so on)

Following article describes MS info on firewall ports.

http://support.microsoft.com/default.aspx?scid=kb;en-us;259240
I heard a rumor that in Exchange 2003 a front end server does not have to be a domain member.  Is this true?  Any links to documents stating this?
Where did you hear that rumour?
It isn't true.
Exchange 2003 will not install on a machine that isn't a member of a domain.

It might have been possible with Exchange 5.5, but I cannot remember for sure.

Simon.
Hi,

To answer the question:

Internet Firewall (Between Internet and front-end servers):

443 for HTTPS
OR
80 for HTTP

Intranet Firewall (Front End and Backend/internal network)
80 for HTTP
25 SMTP
691 LSA
389 TCP for LDAP to DS
389 UDP for LDAP to DS
3268 TCP for LDAP to GC
53 TCP and UDP for DNS
Open appropriate ports for RPC like
135 RPC
1024 + random RPC
For better security you can edit registry and specify specific RPC ports
 
Hey everyone,
This is a valuable topic. Just to clarify the above post, there are a few more ports you gotta open, and to multiple hosts.
80 for HTTP
143 for IMAP
110 for POP
25 for SMTP
691 for Link State Algorithm routing protocol
· Open ports for Active Directory Communication:
TCP port 389 for LDAP to Directory Service
UDP port 389 for LDAP to Directory Service
TCP port 3268 for LDAP to Global Catalog Server
TCP port 88 for Kerberos authentication
UDP port 88 for Kerberos authentication
· Open the ports required for access to the DNS server:
TCP port 53
UDP port 53
· Open the appropriate ports for RPC communication:
TCP port 135 - RPC endpoint mapper
TCP ports 1024+ - RPC service ports
· (Optional) If you want to limit RPCs across the intranet firewall, edit the registry on servers in the intranet to limit RPC traffic to a specific port. Then open the appropriate ports on the internal firewall:
TCP port 135 – RPC endpoint mapper
TCP port 1600 (example) – RPC service port

If you can spend $1,400 to $2,500 then the best way to deal with this question is via ISA 2004. See below:
For your Client Access traffic (OWA, RPC/HTTP)
Internet--->Ext. Firewall--->ISA 2004--->Exchange FE server on internal network.

Unless you are a monster shop that can drop 100k plus on a perimeter security appliance that does REAL proxy and inspection of these client packets, you can't beat that topology.

I hope this helps! Nothing is more frustrating than an argument with highly opinionated and unknowledgable staff about Exchange Security Design.
;-)

If they need "documentation" then i can point you to that as well.