Exchange server 5.5 on DMZ or trusted interface?

Posted on 2003-03-05
Medium Priority
Last Modified: 2010-04-09
1st, new user here, 80 pts is all I have so far.

I will be purchasing a firewall, probably either a Cisco PIX 515E, or Netscreen 25.

On an internet T1 line.  I have an Exchange Server 5.5 on NT4 member server.  This server is providing SMTP, IIS Web for Outlook Web Access only, and I am doing light traffic with IIS's ftp server (logging only into local logon accounts on the member server for ftp).  Eventually the ftp services may move to another software package yet to be eval'd.
The OWA website is using CHAP (you are asked for your logon credentials first, before accessing the website)
Outlook 2000/XP is the client on the LAN.

I read in another question that is tricky to place the Exchange Server in the DMZ zone, due to the need for domain logon authentication for LAN users, etc.

This firewall will also server as user's general internet access, and I anticipate using NAT.

At this time, there is only the one server in question.  

That opens the debate.  Is it "too risky" placing the server on the trusted interface, and only directing the needed ports from the untrusted side to the exchange server?  If so, is it possible to get things working properly with the Exchange Server in the DMZ zone?

My personal context is I'm an MCSE, so good with NT servers and such.  I do not have much experience with firewalls (I've owned and managed two Netscreen lower end devices, I'm completely new to Cisco's offerings).  I understand the basics of routing, but it's not my cup-of-tea.  I will be purchasing tech support for the chosen firewall, so I will have some technical help there when the time comes.
Question by:JoesCat
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
LVL 79

Expert Comment

ID: 8075430
We've done it both ways. Personal opinion, the exchange server is more secure on the internal network with controlling the access through very explicit ports, than you would be with moving it into a DMZ, and still having all the domain dependency traffic going through the firewall. If you were not using the OWA, I would say leave it in the inside network, and put a simple smtp relay host in the DMZ that only has to forward smtp mail into the inside network.

Since you are using the OWA, (using ssl, I hope), putting the Exchange server into the DMZ may help protect your internal LAN if the server was compromised by an exploit of POP3/OWA (still depends on the swiss-cheese IIS), and smtp.

Just don't let putting the server into a DMZ lull you into a false sense of security. You still must maintain vigilance to keep all the security patches up to date and keep the server "locked down". I would suggest a host-based intrusion detection system, well established firewall rules, and locking down the external router to make a secure first line of defense.

If your Exchange server becomes the lifeblood of communications and collaboration within your organization, then it is a business critical system that should have NO direct outside connectivity. Setup a 2nd server in the DMZ that can serve the remote clients, and serve as a relay host.

Author Comment

ID: 8121453
Thanks for your response.  It's a bit to think about (especially since I'm not real good at the firewall configuration aspect yet).

I'm ending up with more questions, that I'll need to pose separately.

Did I not assign enough points (80)?  

Based on my thoughts and this one response, it seems I'd be a little better off placing the server in the DMZ zone.  I thought I remember reading that it is a grueling configuration to set up.  Going that route, I'm certain I'd start a new question thread.  
LVL 79

Accepted Solution

lrmoore earned 320 total points
ID: 8121718
If all you have is one Exchange server, put it in the inside network, not in a DMZ, and only permit port 25 smtp in/out of the firewall from that system.

PIX is easy (IMHO)
With PIX and Exchange in a DMZ, you have to turn off a feature called mailguard, or 'fixup' smtp which helps prevent mischevious embedded smtp commands.

It's not about the points, it all about helping you do the right thing.
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!


Expert Comment

ID: 8126392
lrmoore's comment regarding position is correct. A system configured according to UK GSI recommendations has three distinct networks - the inner clean network, a DMZ (the 'dirty' network), and the untrusted external network (e.g. rest of world). A full blown implementation has 'clean' mail, web cache, news (etc) servers on the inner clean network. The DMZ hosts public facing servers (e.g. internet web site, mail and news servers). Routers and bastion hosts ['firewalls'] are used to segregate networks and route traffic. One or more servers may be used to host the services in the DMZ.

In this example, incomming mail is sent to the 'dirty' mail server. This is used as a relay to the inner mail server. Outgoing mail goes from clean mail server to dirty mail server, and the bastion host [e.g. a Pix, Firewall-1, whatever firewall] policy will only allow mail traffic to flow between these systems, and check data packets match IP packet type.

The entire system, from outer screening router to inner screening router is a firewall, hence it is a misnomner to say the "firewall" routes and controls mail flow. However, as the term firewall is accepted to mean a single box as opposed to a DMZ system, I feel an explanation is needed.

How could you replicate? Without the abillity to post a picture, its difficult to describe the physical architecture, but the easiest method would be to build  small Linux box, remove ALL unneccesary services (e.g. harden the box), and run only sendmail, receiving external mail and forwarding to your Exchange server, and receiving mail from Exchange and sending onwards. ACL's on the internet facing router 'protect' this box (but it's dirty and hence untrusted anyway, and considered 'expendable'. Make a good backup once the system is up and seal it away!).

The firewall (in this case a box), seperates this box from the inner clean network, and routes traffic between Linux and Exchange, checking that the traffic is SMTP (perhaps some X.400 as well, if needed) and only goes from box to box).

If you are UK, you can request the UK Government security architecture manuals which detail the architecture. The US Govt has similar guidelines. Although low level classified, they are nothing secret, merely info commercially available re-written in government lingo ;)



Author Comment

ID: 8133543
lrmoore, yes it would be easier if the box was only an Exchange Server.  But as you said earlier, we also use that darn Outlook Web Access, hence the need to use IIS as well.  That's what is leaning be towards placing it in the DMZ.  

It is great information using an SMTP relay.  I did a cursory search, but didn't find a good one for Windows that looked appealing.  I know nothing about Linux, but it would be a good excuse to start.  But time to implementation and workload will not permit that solution out of the gate.

Any other comments to support or refute where we are so far?
LVL 79

Expert Comment

ID: 8133573
Even with OWA as long as you are using SSL, you only have to open one additional port through the firewall.

Check out eSafe as a SMTP gateway:



Expert Comment

ID: 8134766
Linux install is easy. Just say NO to every service, except sendmail. Check out various FAQ's and readme's for configuration

Author Comment

ID: 8177277
Thank you very much lrmoore and alewisa for your added comments.  I'm evaluating either trying my first Linux box and Sendmail for a cheap SMTP gateway, and I'm beginning to look into Esafe.  Thanks again!

Author Comment

ID: 8177298
There is no one right answer to the question I realize.  Thanks to all for their input, it WILL be used!

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question