Exchange server 5.5 on DMZ or trusted interface?

1st, new user here, 80 pts is all I have so far.

I will be purchasing a firewall, probably either a Cisco PIX 515E, or Netscreen 25.

On an internet T1 line.  I have an Exchange Server 5.5 on NT4 member server.  This server is providing SMTP, IIS Web for Outlook Web Access only, and I am doing light traffic with IIS's ftp server (logging only into local logon accounts on the member server for ftp).  Eventually the ftp services may move to another software package yet to be eval'd.
The OWA website is using CHAP (you are asked for your logon credentials first, before accessing the website)
Outlook 2000/XP is the client on the LAN.

I read in another question that is tricky to place the Exchange Server in the DMZ zone, due to the need for domain logon authentication for LAN users, etc.

This firewall will also server as user's general internet access, and I anticipate using NAT.

At this time, there is only the one server in question.  

That opens the debate.  Is it "too risky" placing the server on the trusted interface, and only directing the needed ports from the untrusted side to the exchange server?  If so, is it possible to get things working properly with the Exchange Server in the DMZ zone?

My personal context is I'm an MCSE, so good with NT servers and such.  I do not have much experience with firewalls (I've owned and managed two Netscreen lower end devices, I'm completely new to Cisco's offerings).  I understand the basics of routing, but it's not my cup-of-tea.  I will be purchasing tech support for the chosen firewall, so I will have some technical help there when the time comes.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

We've done it both ways. Personal opinion, the exchange server is more secure on the internal network with controlling the access through very explicit ports, than you would be with moving it into a DMZ, and still having all the domain dependency traffic going through the firewall. If you were not using the OWA, I would say leave it in the inside network, and put a simple smtp relay host in the DMZ that only has to forward smtp mail into the inside network.

Since you are using the OWA, (using ssl, I hope), putting the Exchange server into the DMZ may help protect your internal LAN if the server was compromised by an exploit of POP3/OWA (still depends on the swiss-cheese IIS), and smtp.

Just don't let putting the server into a DMZ lull you into a false sense of security. You still must maintain vigilance to keep all the security patches up to date and keep the server "locked down". I would suggest a host-based intrusion detection system, well established firewall rules, and locking down the external router to make a secure first line of defense.

If your Exchange server becomes the lifeblood of communications and collaboration within your organization, then it is a business critical system that should have NO direct outside connectivity. Setup a 2nd server in the DMZ that can serve the remote clients, and serve as a relay host.
JoesCatAuthor Commented:
Thanks for your response.  It's a bit to think about (especially since I'm not real good at the firewall configuration aspect yet).

I'm ending up with more questions, that I'll need to pose separately.

Did I not assign enough points (80)?  

Based on my thoughts and this one response, it seems I'd be a little better off placing the server in the DMZ zone.  I thought I remember reading that it is a grueling configuration to set up.  Going that route, I'm certain I'd start a new question thread.  
If all you have is one Exchange server, put it in the inside network, not in a DMZ, and only permit port 25 smtp in/out of the firewall from that system.

PIX is easy (IMHO)
With PIX and Exchange in a DMZ, you have to turn off a feature called mailguard, or 'fixup' smtp which helps prevent mischevious embedded smtp commands.

It's not about the points, it all about helping you do the right thing.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

lrmoore's comment regarding position is correct. A system configured according to UK GSI recommendations has three distinct networks - the inner clean network, a DMZ (the 'dirty' network), and the untrusted external network (e.g. rest of world). A full blown implementation has 'clean' mail, web cache, news (etc) servers on the inner clean network. The DMZ hosts public facing servers (e.g. internet web site, mail and news servers). Routers and bastion hosts ['firewalls'] are used to segregate networks and route traffic. One or more servers may be used to host the services in the DMZ.

In this example, incomming mail is sent to the 'dirty' mail server. This is used as a relay to the inner mail server. Outgoing mail goes from clean mail server to dirty mail server, and the bastion host [e.g. a Pix, Firewall-1, whatever firewall] policy will only allow mail traffic to flow between these systems, and check data packets match IP packet type.

The entire system, from outer screening router to inner screening router is a firewall, hence it is a misnomner to say the "firewall" routes and controls mail flow. However, as the term firewall is accepted to mean a single box as opposed to a DMZ system, I feel an explanation is needed.

How could you replicate? Without the abillity to post a picture, its difficult to describe the physical architecture, but the easiest method would be to build  small Linux box, remove ALL unneccesary services (e.g. harden the box), and run only sendmail, receiving external mail and forwarding to your Exchange server, and receiving mail from Exchange and sending onwards. ACL's on the internet facing router 'protect' this box (but it's dirty and hence untrusted anyway, and considered 'expendable'. Make a good backup once the system is up and seal it away!).

The firewall (in this case a box), seperates this box from the inner clean network, and routes traffic between Linux and Exchange, checking that the traffic is SMTP (perhaps some X.400 as well, if needed) and only goes from box to box).

If you are UK, you can request the UK Government security architecture manuals which detail the architecture. The US Govt has similar guidelines. Although low level classified, they are nothing secret, merely info commercially available re-written in government lingo ;)


JoesCatAuthor Commented:
lrmoore, yes it would be easier if the box was only an Exchange Server.  But as you said earlier, we also use that darn Outlook Web Access, hence the need to use IIS as well.  That's what is leaning be towards placing it in the DMZ.  

It is great information using an SMTP relay.  I did a cursory search, but didn't find a good one for Windows that looked appealing.  I know nothing about Linux, but it would be a good excuse to start.  But time to implementation and workload will not permit that solution out of the gate.

Any other comments to support or refute where we are so far?
Even with OWA as long as you are using SSL, you only have to open one additional port through the firewall.

Check out eSafe as a SMTP gateway:

Linux install is easy. Just say NO to every service, except sendmail. Check out various FAQ's and readme's for configuration
JoesCatAuthor Commented:
Thank you very much lrmoore and alewisa for your added comments.  I'm evaluating either trying my first Linux box and Sendmail for a cheap SMTP gateway, and I'm beginning to look into Esafe.  Thanks again!
JoesCatAuthor Commented:
There is no one right answer to the question I realize.  Thanks to all for their input, it WILL be used!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.