Planing a network layout with exchange server 2003

Hi all, got an urgent question about my network design,

my network is behind a watchguard firebox II
I got 3 w2k3 servers in my domain,

one is used for fileserving (trusthed)
one is DC and has exchange 2003 installed (trusthed)
one dmz server (optional interface)

my question is now how should i deal with the reality and put the exchange server online, shoul i install a front end server on the dmz and open for comminication from the optional to the trusted network or should i just open the ports right in to the exchange server on the DC?(that sounds dangerous)

any suggestions? what would be the best and secure solution with my currently hardware?

thanks..
Seh_it24Asked:
Who is Participating?
 
ErikKvKCommented:
Some rules of thumb for internet security:
1- Never allow internet traffic towards any of your domain controllers directly. Bad practice to run ISA on Domain controllers and such.
2- If you have a DMZ why not use it. A DMZ is created to avoid allowing internet traffic into the intranet.
3- Where possible do not allow direct connections between untrusted and trusted networks.
4- Do not publish data storage to the internet, use interface servers for this.

For this scenario:
In my opinion there are two options. Firstly you can install a front end server into the DMZ. This will prevent direct access to the domain controller and mailserver (rule 1,3 and 4). Secondly you will utilize the DMZ (rule 2).
Second option is to use ISA server to publish the exchange server. This would be the scenario if you only allow POP, IMAP to the server and you are not willing to host OWA. This will comply with all rules.
0
 
IceRavenCommented:
Hi,

Is the exchange server going to be used for OWA?

IceRaven.
0
 
Seh_it24Author Commented:
The server will host pop/imapi and not OWA, if i setup a front-end server in the dmz, how should it be implemented? like a member server of the internal domain or as a new domain?

if i set the server to be a member of the domain, it will reveal my internal network right?

so how is this going to be solved?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
What90Commented:
I believe ErikKvK would suggest that you set the DMZ server up as a standalone member server. That way no AD traffic would ever passthrough the Firewall.

Set it with it's own set of passwords and accounts different from the ones you'd use on your internal lan for added security.

0
 
IceRavenCommented:
I don't understand why you would use a front end server for exchange if you were not using OWA?

You have to open the same internal ports as external on the firewall, allowing hackers only one extra step, a few seconds.  Plus it costs you the expense of an entire server!  

I would have said do something like this:

Public Network
|
DMZ Server
|
DMZ Network
- Exchange Server
|
Firewall
|
Internal Network
- Domain Controller / File Server

Whats wrong with this solution.

IceRaven.
0
 
What90Commented:
IceRaven,

My concern with your option would be that critical AD traffic would go through the firewall. I'd hate for any internal AD info to be place on a vunerable DMZ area/zone. Basically an DMZ is just that - vunerable and untrusted!

 Firewalls aren't that smart and the amount of port you have to open to get Exchange and AD playing nicely together is scary.

I'd always want to keep my main exchange server(s) on the LAN, near to the users and a safe as possible.

That's my take anyhow.
0
 
Seh_it24Author Commented:
i guess it would look like this then:

Public Network---------------------Internal network----DC
|
Watchguard firewall
|
|
optional interface
|
dmz server with exchange
0
 
What90Commented:
My take would be:


Internal network(Private Interface) ----DC + backend Exchange server
|
Watchguard firewall (Public Interface) ----------------Public Network/Internet
|
optional interface (DMZ Interface)
|
dmz server with front end exchange or mail relay server(standalone)

Traffic would go From Public network to DMZ server then through to internal Exchange server and via a versa for out going traffic.
0
 
ErikKvKCommented:
Having a front end server communicate with AD from AD is no problem.

A stand alone server is never a member server.

When talking about Firewalls and ports, you need to keep in mind that the gap opened up is defined by two dimensions, Ports and IP's.

With a frontend server, you have one IP that is allowed into the internal network over a limited number of ports. In the other scenario, the whole world is allowed into the local network.

What90 is right in his picture of a DMZ. Every host in a DMZ should be multihomed, on inbound connection and one outbound connection, each having a different IP subnet. Ideally the Firewall sjhould have two DMZ interfaces, one inbound and one outbound.
0
 
Seh_it24Author Commented:
sorry, my fault im ofcouz gonne be using OWA.. :)
0
 
What90Commented:
Oops, ment to delete that in my first post as a stand alone member is a big contradition in terms and can't exist in the Ms world.

:-)
Ta for spotting and correcting that ErikKvK!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.