Solved

Planing a network layout with exchange server 2003

Posted on 2004-04-15
13
187 Views
Last Modified: 2010-03-05
Hi all, got an urgent question about my network design,

my network is behind a watchguard firebox II
I got 3 w2k3 servers in my domain,

one is used for fileserving (trusthed)
one is DC and has exchange 2003 installed (trusthed)
one dmz server (optional interface)

my question is now how should i deal with the reality and put the exchange server online, shoul i install a front end server on the dmz and open for comminication from the optional to the trusted network or should i just open the ports right in to the exchange server on the DC?(that sounds dangerous)

any suggestions? what would be the best and secure solution with my currently hardware?

thanks..
0
Comment
Question by:Seh_it24
  • 4
  • 3
  • 2
  • +1
13 Comments
 
LVL 7

Expert Comment

by:IceRaven
ID: 10831798
Hi,

Is the exchange server going to be used for OWA?

IceRaven.
0
 
LVL 8

Accepted Solution

by:
ErikKvK earned 250 total points
ID: 10831802
Some rules of thumb for internet security:
1- Never allow internet traffic towards any of your domain controllers directly. Bad practice to run ISA on Domain controllers and such.
2- If you have a DMZ why not use it. A DMZ is created to avoid allowing internet traffic into the intranet.
3- Where possible do not allow direct connections between untrusted and trusted networks.
4- Do not publish data storage to the internet, use interface servers for this.

For this scenario:
In my opinion there are two options. Firstly you can install a front end server into the DMZ. This will prevent direct access to the domain controller and mailserver (rule 1,3 and 4). Secondly you will utilize the DMZ (rule 2).
Second option is to use ISA server to publish the exchange server. This would be the scenario if you only allow POP, IMAP to the server and you are not willing to host OWA. This will comply with all rules.
0
 

Author Comment

by:Seh_it24
ID: 10831977
The server will host pop/imapi and not OWA, if i setup a front-end server in the dmz, how should it be implemented? like a member server of the internal domain or as a new domain?

if i set the server to be a member of the domain, it will reveal my internal network right?

so how is this going to be solved?
0
 
LVL 20

Assisted Solution

by:What90
What90 earned 250 total points
ID: 10832090
I believe ErikKvK would suggest that you set the DMZ server up as a standalone member server. That way no AD traffic would ever passthrough the Firewall.

Set it with it's own set of passwords and accounts different from the ones you'd use on your internal lan for added security.

0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10832328
I don't understand why you would use a front end server for exchange if you were not using OWA?

You have to open the same internal ports as external on the firewall, allowing hackers only one extra step, a few seconds.  Plus it costs you the expense of an entire server!  

I would have said do something like this:

Public Network
|
DMZ Server
|
DMZ Network
- Exchange Server
|
Firewall
|
Internal Network
- Domain Controller / File Server

Whats wrong with this solution.

IceRaven.
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 20

Expert Comment

by:What90
ID: 10832662
IceRaven,

My concern with your option would be that critical AD traffic would go through the firewall. I'd hate for any internal AD info to be place on a vunerable DMZ area/zone. Basically an DMZ is just that - vunerable and untrusted!

 Firewalls aren't that smart and the amount of port you have to open to get Exchange and AD playing nicely together is scary.

I'd always want to keep my main exchange server(s) on the LAN, near to the users and a safe as possible.

That's my take anyhow.
0
 

Author Comment

by:Seh_it24
ID: 10832703
i guess it would look like this then:

Public Network---------------------Internal network----DC
|
Watchguard firewall
|
|
optional interface
|
dmz server with exchange
0
 
LVL 20

Expert Comment

by:What90
ID: 10832776
My take would be:


Internal network(Private Interface) ----DC + backend Exchange server
|
Watchguard firewall (Public Interface) ----------------Public Network/Internet
|
optional interface (DMZ Interface)
|
dmz server with front end exchange or mail relay server(standalone)

Traffic would go From Public network to DMZ server then through to internal Exchange server and via a versa for out going traffic.
0
 
LVL 8

Expert Comment

by:ErikKvK
ID: 10833263
Having a front end server communicate with AD from AD is no problem.

A stand alone server is never a member server.

When talking about Firewalls and ports, you need to keep in mind that the gap opened up is defined by two dimensions, Ports and IP's.

With a frontend server, you have one IP that is allowed into the internal network over a limited number of ports. In the other scenario, the whole world is allowed into the local network.

What90 is right in his picture of a DMZ. Every host in a DMZ should be multihomed, on inbound connection and one outbound connection, each having a different IP subnet. Ideally the Firewall sjhould have two DMZ interfaces, one inbound and one outbound.
0
 

Author Comment

by:Seh_it24
ID: 10833473
sorry, my fault im ofcouz gonne be using OWA.. :)
0
 
LVL 20

Expert Comment

by:What90
ID: 10833558
Oops, ment to delete that in my first post as a stand alone member is a big contradition in terms and can't exist in the Ms world.

:-)
Ta for spotting and correcting that ErikKvK!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now