Exchange server 5.5 on DMZ or trusted interface?
Posted on 2003-03-05
1st, new user here, 80 pts is all I have so far.
I will be purchasing a firewall, probably either a Cisco PIX 515E, or Netscreen 25.
On an internet T1 line. I have an Exchange Server 5.5 on NT4 member server. This server is providing SMTP, IIS Web for Outlook Web Access only, and I am doing light traffic with IIS's ftp server (logging only into local logon accounts on the member server for ftp). Eventually the ftp services may move to another software package yet to be eval'd.
The OWA website is using CHAP (you are asked for your logon credentials first, before accessing the website)
Outlook 2000/XP is the client on the LAN.
I read in another question that is tricky to place the Exchange Server in the DMZ zone, due to the need for domain logon authentication for LAN users, etc.
This firewall will also server as user's general internet access, and I anticipate using NAT.
At this time, there is only the one server in question.
That opens the debate. Is it "too risky" placing the server on the trusted interface, and only directing the needed ports from the untrusted side to the exchange server? If so, is it possible to get things working properly with the Exchange Server in the DMZ zone?
My personal context is I'm an MCSE, so good with NT servers and such. I do not have much experience with firewalls (I've owned and managed two Netscreen lower end devices, I'm completely new to Cisco's offerings). I understand the basics of routing, but it's not my cup-of-tea. I will be purchasing tech support for the chosen firewall, so I will have some technical help there when the time comes.