Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Planing a network layout with exchange server 2003

Posted on 2004-04-15
13
Medium Priority
?
195 Views
Last Modified: 2010-03-05
Hi all, got an urgent question about my network design,

my network is behind a watchguard firebox II
I got 3 w2k3 servers in my domain,

one is used for fileserving (trusthed)
one is DC and has exchange 2003 installed (trusthed)
one dmz server (optional interface)

my question is now how should i deal with the reality and put the exchange server online, shoul i install a front end server on the dmz and open for comminication from the optional to the trusted network or should i just open the ports right in to the exchange server on the DC?(that sounds dangerous)

any suggestions? what would be the best and secure solution with my currently hardware?

thanks..
0
Comment
Question by:Seh_it24
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
13 Comments
 
LVL 7

Expert Comment

by:IceRaven
ID: 10831798
Hi,

Is the exchange server going to be used for OWA?

IceRaven.
0
 
LVL 8

Accepted Solution

by:
ErikKvK earned 1000 total points
ID: 10831802
Some rules of thumb for internet security:
1- Never allow internet traffic towards any of your domain controllers directly. Bad practice to run ISA on Domain controllers and such.
2- If you have a DMZ why not use it. A DMZ is created to avoid allowing internet traffic into the intranet.
3- Where possible do not allow direct connections between untrusted and trusted networks.
4- Do not publish data storage to the internet, use interface servers for this.

For this scenario:
In my opinion there are two options. Firstly you can install a front end server into the DMZ. This will prevent direct access to the domain controller and mailserver (rule 1,3 and 4). Secondly you will utilize the DMZ (rule 2).
Second option is to use ISA server to publish the exchange server. This would be the scenario if you only allow POP, IMAP to the server and you are not willing to host OWA. This will comply with all rules.
0
 

Author Comment

by:Seh_it24
ID: 10831977
The server will host pop/imapi and not OWA, if i setup a front-end server in the dmz, how should it be implemented? like a member server of the internal domain or as a new domain?

if i set the server to be a member of the domain, it will reveal my internal network right?

so how is this going to be solved?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 20

Assisted Solution

by:What90
What90 earned 1000 total points
ID: 10832090
I believe ErikKvK would suggest that you set the DMZ server up as a standalone member server. That way no AD traffic would ever passthrough the Firewall.

Set it with it's own set of passwords and accounts different from the ones you'd use on your internal lan for added security.

0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10832328
I don't understand why you would use a front end server for exchange if you were not using OWA?

You have to open the same internal ports as external on the firewall, allowing hackers only one extra step, a few seconds.  Plus it costs you the expense of an entire server!  

I would have said do something like this:

Public Network
|
DMZ Server
|
DMZ Network
- Exchange Server
|
Firewall
|
Internal Network
- Domain Controller / File Server

Whats wrong with this solution.

IceRaven.
0
 
LVL 20

Expert Comment

by:What90
ID: 10832662
IceRaven,

My concern with your option would be that critical AD traffic would go through the firewall. I'd hate for any internal AD info to be place on a vunerable DMZ area/zone. Basically an DMZ is just that - vunerable and untrusted!

 Firewalls aren't that smart and the amount of port you have to open to get Exchange and AD playing nicely together is scary.

I'd always want to keep my main exchange server(s) on the LAN, near to the users and a safe as possible.

That's my take anyhow.
0
 

Author Comment

by:Seh_it24
ID: 10832703
i guess it would look like this then:

Public Network---------------------Internal network----DC
|
Watchguard firewall
|
|
optional interface
|
dmz server with exchange
0
 
LVL 20

Expert Comment

by:What90
ID: 10832776
My take would be:


Internal network(Private Interface) ----DC + backend Exchange server
|
Watchguard firewall (Public Interface) ----------------Public Network/Internet
|
optional interface (DMZ Interface)
|
dmz server with front end exchange or mail relay server(standalone)

Traffic would go From Public network to DMZ server then through to internal Exchange server and via a versa for out going traffic.
0
 
LVL 8

Expert Comment

by:ErikKvK
ID: 10833263
Having a front end server communicate with AD from AD is no problem.

A stand alone server is never a member server.

When talking about Firewalls and ports, you need to keep in mind that the gap opened up is defined by two dimensions, Ports and IP's.

With a frontend server, you have one IP that is allowed into the internal network over a limited number of ports. In the other scenario, the whole world is allowed into the local network.

What90 is right in his picture of a DMZ. Every host in a DMZ should be multihomed, on inbound connection and one outbound connection, each having a different IP subnet. Ideally the Firewall sjhould have two DMZ interfaces, one inbound and one outbound.
0
 

Author Comment

by:Seh_it24
ID: 10833473
sorry, my fault im ofcouz gonne be using OWA.. :)
0
 
LVL 20

Expert Comment

by:What90
ID: 10833558
Oops, ment to delete that in my first post as a stand alone member is a big contradition in terms and can't exist in the Ms world.

:-)
Ta for spotting and correcting that ErikKvK!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question