Exchange 2000 Server in DMZ

Posted on 2003-03-03
Medium Priority
Last Modified: 2010-04-11
I have Exhange 2000 server with LDAP Authentication with Windows ADS and is kept in DMZ of Appliance based Firewall(Sonicwall with 3 ports LAN,WAN &DMZ in NAT mode.)

When Exchange Server was in LAN it was possible for WAN user to get Authenticate to windows Server when they tried to access Exhange Server from Outside.

1)Now when Exchange server is in DMZ its not possible to do Authentication .
2) How can Administrator Manage Eschange server from Lan

What is the procedure to follow for Authentication and Mangement to happen.

What ports required to be opened and for which services.


Is there
Question by:dosti_p
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 8063690
If you want windows autentication you should open some tcp ports:
Such as kerberos , LDAP, etc.
Take a look here for all you need:

Or you can use Outlook Web Access.

For managing Exchange server from LAN you can use Remote Desctop Connection. It uses TCP port 3389.

LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 8064481
Highly Suggest putting the Exchange server back in the LAN. There are far too many dependencies on the AD infrastructure that requires opening too many ports on the firewall, and you Exchange server is far too vulnerable/valuable to be in a publicly accessible DMZ.

Best solution is to use a simple SMTP relay host in the DMZ for in/outbound SMTP traffic. Only one single port needed to relay data back and forth, and you can change it from the default port 25 for communications between the two servers for more stealth.


Expert Comment

ID: 8071871
Goto the following Microsoft Knowledge Base Article.

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!


Expert Comment

ID: 8075692
I agree with irmoore
LVL 14

Expert Comment

ID: 8080886
I also agree with lrmoore.
LVL 79

Expert Comment

ID: 8080983
The font-end / back-end Exchange server outlined in the MS KB is a very expensive proposition when you consider the horsepower of the server to run it on, and the cost of an additional Exchange Server license. Just looking at the list of ports that need to be opened scares the heck out of me.

Something like an ESafe appliance in the DMZ is a much more secure, much less expensive solution:


Expert Comment

ID: 8108443
Hi Prasad,

I am currently a Sonic Wall reseller and am very familiar with all Sonic Wall products. What you are attempting to do is common. It is also in my opinion risky. I would recommend leaving the exchange inside your local lan and putting an inexpensive mail server on your DMZ such as IMAIL by ipswith or something of the likes. That way if your mail server is compromised, your more confidential data isnt such as calendars, tasks, master contact lists, etc... This is a very simple and cheap solution to implement. If you would be interested or could use some help drop me a line at coakley@cornerstonemail.com. If you are set on the way you have it now. Keep in mind that with the Sonic Wall, DMZ is totally cutoff from coming back into the lan and I have seen many issues with windows kerberos. I would recommend putting VNC on your Exchanger server and just VNCing into it from your Lan side server. Hope this helps.

LVL 79

Expert Comment

ID: 12487240
I think that we have a consensus that I should get the points..

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question