• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 198
  • Last Modified:

Exchange 2000 Server in DMZ

I have Exhange 2000 server with LDAP Authentication with Windows ADS and is kept in DMZ of Appliance based Firewall(Sonicwall with 3 ports LAN,WAN &DMZ in NAT mode.)

When Exchange Server was in LAN it was possible for WAN user to get Authenticate to windows Server when they tried to access Exhange Server from Outside.

1)Now when Exchange server is in DMZ its not possible to do Authentication .
2) How can Administrator Manage Eschange server from Lan

What is the procedure to follow for Authentication and Mangement to happen.

What ports required to be opened and for which services.


Is there
1 Solution
If you want windows autentication you should open some tcp ports:
Such as kerberos , LDAP, etc.
Take a look here for all you need:

Or you can use Outlook Web Access.

For managing Exchange server from LAN you can use Remote Desctop Connection. It uses TCP port 3389.

Highly Suggest putting the Exchange server back in the LAN. There are far too many dependencies on the AD infrastructure that requires opening too many ports on the firewall, and you Exchange server is far too vulnerable/valuable to be in a publicly accessible DMZ.

Best solution is to use a simple SMTP relay host in the DMZ for in/outbound SMTP traffic. Only one single port needed to relay data back and forth, and you can change it from the default port 25 for communications between the two servers for more stealth.

Goto the following Microsoft Knowledge Base Article.

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

I agree with irmoore
I also agree with lrmoore.
The font-end / back-end Exchange server outlined in the MS KB is a very expensive proposition when you consider the horsepower of the server to run it on, and the cost of an additional Exchange Server license. Just looking at the list of ports that need to be opened scares the heck out of me.

Something like an ESafe appliance in the DMZ is a much more secure, much less expensive solution:

Hi Prasad,

I am currently a Sonic Wall reseller and am very familiar with all Sonic Wall products. What you are attempting to do is common. It is also in my opinion risky. I would recommend leaving the exchange inside your local lan and putting an inexpensive mail server on your DMZ such as IMAIL by ipswith or something of the likes. That way if your mail server is compromised, your more confidential data isnt such as calendars, tasks, master contact lists, etc... This is a very simple and cheap solution to implement. If you would be interested or could use some help drop me a line at coakley@cornerstonemail.com. If you are set on the way you have it now. Keep in mind that with the Sonic Wall, DMZ is totally cutoff from coming back into the lan and I have seen many issues with windows kerberos. I would recommend putting VNC on your Exchanger server and just VNCing into it from your Lan side server. Hope this helps.

I think that we have a consensus that I should get the points..

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now