aelhajj
asked on
Exchange 2000 Front End/Backend
Here's what I'm trying to do. I want to setup an exchange server behind the firewall. This will be no problem for my internal Clients.
Now, I also have external clients that need to use that server (using pop3 and smtp). I can just open ports 110 & 25, but that seems kind of dangerous to me. I really don't want that machine directly accessible from the net.
I know I can use a front-end/back-end topology, but I REALLY don't want to go through the cost of buying 2 licenses of exchange. Is there another way of doing this? That will secure my backend exchange box, but allow my external clients to use SMTP and pop3.
I've thought about using qmail on linux, but looks like that will only solve my SMTP relay problem. I don't see how that will allow external users to POP into the exchange box.
Now, I also have external clients that need to use that server (using pop3 and smtp). I can just open ports 110 & 25, but that seems kind of dangerous to me. I really don't want that machine directly accessible from the net.
I know I can use a front-end/back-end topology, but I REALLY don't want to go through the cost of buying 2 licenses of exchange. Is there another way of doing this? That will secure my backend exchange box, but allow my external clients to use SMTP and pop3.
I've thought about using qmail on linux, but looks like that will only solve my SMTP relay problem. I don't see how that will allow external users to POP into the exchange box.
ASKER
That'll work if I only had to worry about internal clients, but then how do people on other networks send e-mails via SMTP to my clients internally?
I'm trying to avoid opening any connections that will allow a "public" user from connecting directly to my machine...
I'm trying to avoid opening any connections that will allow a "public" user from connecting directly to my machine...
ASKER
Maybe some sort of a pop3 proxy? Something linux based would be nice if anyone knows any that would help
It's quite normal for the Exchange server to have its SMTP ports open to receive external e-mail. I would estimate the majority of exchange servers are setup like this. If you run an enterprise-level firewall, that should be able to add some protection on incoming SMTP traffic by filtering bogus requests.
With regard to POP3 access. I don't like having any protocols which can give access to mailboxes. Have you considered giving users web access to the exchange server? This can be quite secure especially if you only enable the SSL access.
Alternatively, as digital said, provide VPN access (L2TP or PPTP). This would be my preferred solution as your clients would be able to run the full outlook client and thus have access to calendars and public folders etc.
With regard to POP3 access. I don't like having any protocols which can give access to mailboxes. Have you considered giving users web access to the exchange server? This can be quite secure especially if you only enable the SSL access.
Alternatively, as digital said, provide VPN access (L2TP or PPTP). This would be my preferred solution as your clients would be able to run the full outlook client and thus have access to calendars and public folders etc.
Port 25 for SMTP will need to be open for receiving internet email.
The only alternative to that is to use a Linux type system w/ sendmail to receive the internet email and forward it to the Exchange host- but trust me- unless you've done this kind of setup from the start the initial setup will drive you crazy w/ labor.
The Linux/sendmail type setup is the only way to completely remove the exchange server from the internet, but as JMansford said- it is standard practice to allow only port 25 open to the exchange box. I've done it in all of my installation and not had any problems.
The only alternative to that is to use a Linux type system w/ sendmail to receive the internet email and forward it to the Exchange host- but trust me- unless you've done this kind of setup from the start the initial setup will drive you crazy w/ labor.
The Linux/sendmail type setup is the only way to completely remove the exchange server from the internet, but as JMansford said- it is standard practice to allow only port 25 open to the exchange box. I've done it in all of my installation and not had any problems.
aelhajj:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If the external clients are Windows Boxes, have them use PPTP to get into the private network, this will provide a secure connection and you won't have to open any ports on the firewall. We did this because w/ exchange 5.5. external access to POP3 was crashing the server.
You could also use the firewall's IPSEC ability with the external clients. It acheives the same effect as the MS PPTP, but is at the firewall level and possibly supports more than just Microsoft clients.
Another option is to have the clients dial in via regular dial up for access to the server.
You could use IMAP instead of POP3 and SMTP, it's a little more secure and has more features.