Recommendations and experience required - Firewalls/*nix/M$ security combined!

Okay, this ones gonna cause some flak as I'm looking for peoples opinions and experiences, so might have to spread some points around. I realise that everyone is welcome tro their opinions, as long as they agree to mine *8-) This is almost an exact repeat of a question I've posted under networking/email as this question is relevant to both topics. I'll link the two later for anyone looking for similar info.

Therefore please don't get into flaming each other over better linux distro's, M$ vs *nix, etc..

Okay - I'm currently setting up a new environment in my office and I am fishing for ideas on the best security for the system. I have a number of servers and licenses for Exchange 2003 and Windows Server 2003 (enough for two installations and no more) and also a license for ISA server. I am a Windows support chap by profession so I'm going to use Exchange for the main office email system, outlook will be the preferred client and Windows 2003 will be used for general file serving, print serving and user authentication

The methods of securing the environment from the big bad internet is still up for grabs - I currently have an idea to install a copy of the Linux distro IPCop to provide a secure inner system for the FAPS/AD controller and a DMZ to house the webmail services (and therefore the Exchange server as far as I'm aware)

The email is currently being supplied by a variety of POP3 mailboxes so I will need to collect that mail and forward it to the Exchange server as SMTP traffic. My preference is to virus and spam filter that mail traffic before it even hits the mail server. Any ideas on fetchmail/spamassain/etc. for this work??

I would also like to keep my Exchange server as hidden as possible while still retaining a recognisable Exchange style webmail interface as we all know how the vunerabilities of any M$ system get published so frequently (note I'm not stating there are more or less of these, just they tend to get a lot of exposure on the net). I am not adverse to an opensource system to host webmail as long as the end users will feel as if they are still getting the full access to their exchange account (contacts, calendering as well as email).

So, my initial thoughts were:

Web traffic to the IPCop box that would only forward inbound connection requests on port 443 to the Exchange DMZ box for the webmail interface (also for remote Outlook 2003 clients) and refuse any other ports completely. I knew one guy once that had a firewall that captured the IP address of anyone trying to attach to definite blocked ports and then added them to the blacklist if they tried more than once to connect on them - i.e. automatic deny to any port scanners out there - seem a nice feature.

IpCop would also host the VPN connections for IPSec traffic from remote office staff. Any suggestions of how I can keep this completely tight as a ducks a*$£ are welcome.

An internal server (may well be a Linux box - Windows licenses do cost money after all) will repeatedly poll the pop3 mailboxes and feed through a decent virus and spam filtering system and then forward via SMTP to the Exchange server.

Out going mail will be delivered straight out to the internet from Exchange directly.

I could also double protect the Exchange server with ISA as I have a legal copy, but I have run out of Windows server license to host it! How much value would there be putting ISA on the Exchange server to be double protected?? overkill???

So - any suggestions for improvement, preferred packages for mail collect/spam/virus filter and forward. Or just recommendations/links to best methods of setups and examples of various products?

I'm open to anything really, just don't want my office to be! I'm also looking for the lower cost options (i know, time is money as well, but it can sometimes be easier to come by!)

I'm also currently mostly a Microsoft person, but I would like to understand a lot more about Unix so even though my proposal may seem excessively complex, I want to use it as a learning experience as well.

Many thanks in advance and apologies for the length of this post...
Who is Participating?

I think the easiest would be to forward your external emails to your DMZ SMTP server,
ie: you have a mailbox at provider xyp:
Now create a dns entry, let it point to your firewall.
Tell xyp to forward all email to -> So you don't have to run a pop collector, but the email is coming via SMTP to your firewall. No let the firewall do it's thing (inspection, whatever...) and forward port 25 to a linux box (smtpbox) in the DMZ.

exchange, internal net

The smtpbox runs postfix (my choice ;)) on linux. Here you have amavisd_new with  spamassasin as antispam and with f-prot as antvirus, and also a few postfix built-in anti-uce features(my choice ;)). If the mail is no spam and no virus, send it to the internal net exchange server (again SMTP). So all the emails are processed in the DMZ, and only sanitized mails get into the internal net.
Also I recommend to use the smtpbox for outgoing traffic as the smtp outgoing server. I have heard that sometimes in ms networks there happens to be a virus. This setup prevents it to spread to external network, a feature that every network should have.
Ok, when using this setup please pay attention that the postfix server on smtpbox has the actual userlist of the exchange server and only accepts mail for known users. This is to prevent a security problem, which can be used to flood unsuspecting victims (see
You can do this by using
Every occurence of (my choice ;)) can be replaced by (your choice ;)).
More useful urls:
You may consider using FortiNet FortiGate products...feature-rich...and cost-effective to manage. ;-)
Fortinet’s award-winning FortiGate™ series of ASIC-accelerated Antivirus Firewalls are the new generation of real-time network protection systems. They detect and eliminate the most damaging, content-based threats from email and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time — without degrading network performance. In addition to providing application level protection, the FortiGate systems deliver a full range of network-level services — firewall, VPN, intrusion detection and traffic shaping — delivering a complete network protection services in dedicated, easily managed platforms.

oppss!...sorry wrong website in previous comment.
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

Tim HolmanCommented:
Use ISA server to publish Outlook Web Access.  There's a built-in wizard for doing this.
arcascompAuthor Commented:

I'd heard this about ISA - I was a bit concerned about running both on the same box, normally I'd advocate firewalls being firewalls and mail servers being mail servers. As I'm thinking of sticking IPCop or likewise (sharial - will look into the fortinet range, thanks - not your company is it ;-) in front, my concerns about exposing the mail server/weakening the firewall features by combining are reduced. Will they actually coexist on the same box anyway?

Anyone got any views on popmail retrieval like fetchmail spam/virus killers?

No, it not mine, not selling it either. I just found it to be a great product. Deployed a few of these, cheaper than any other AV gateway products, with good features and performance. Did i mentioned that it's a firewall product...;-) I used it to protect my HTTP mail server too...
arcascompAuthor Commented:

I presume these AV gateway/firewalls, will still need a pop3 colecter software running inside the system to create the mail traffic to scan. Any suggestions on good systems to collect the pop3 mail and forward onto Exchange?

Also, what's the normal going rate for one of these boxes?


Tim HolmanCommented:
Why not host your own mail server, instead of POP3 ?  
Alternatively, there is a POP3 'collector' in Exchange I think ?
arcascompAuthor Commented:

I could, and probably will at some stage host my own email, but at the moment the office is shared and therefore there is email coming in for various email accounts across several domains. I want to leave it as POP3 just now so theres a good backup if I screw up :-)

Exchange unfotuneately doesn't have a POP3 collection facility. It's only available with the modified small business server versions. I have the full version so no joy there. I also like the idea of keeping the virus/smap filtering away from the actual exchange server.

Does the ISA server wizard assume Exchange webmail is on a seprate box or on the same machine as the ISA software?
Tim HolmanCommented:
The ISA server wizard will do either.

Something like this would be a good start:

Firewall---------- Webmail server/IIS, VPN server, SMTP gateway
Exchange 2003
ISA Server

There are some POP3 connectors here:

Plus the connector for SBS 4.5 that we've discussed above (for reference...)

Maybe SBS 4.5 would be a better way to go ?  Comes with ISA and the POP3 software ?

arcascompAuthor Commented:
Hmmm, already got licenses for Exchange and ISA, not going to buy more licenses!

Exchange 2003 needs to be on the webmail server if I use the MS OWA stuff. Therefore the Exchange server would have to end up in the DMZ. Other option would be to use a.n.other webmail facility, but I want it to look and feel like an outlook client, including the functionality of a full outlook client, not just email access.

IPCop should do the VPN serving for me as I want to VPN to the green network, not the orange one. I'm guessing I'll need a setup like:

Firewall (VPN) -------Exchange/IIS/Webmail/ISA
AD, Pop Collector, mail virus/spam filter, FAPS.

I realise that putting extra services on a firewall can open vunerabilities, but I'm wondering if it would be better to kill SPAM and Viruses at the firewall rather than letting that rubbish into the Green (or maybe Orange) network.

Any ideas on what ports I'll need open between the AD and the Exchange servers? I know it's possible for outlook 2003 to connect via port 443 so I could open that for the clients but it might be better for MAPI traffic to be allowed. Not sure which is more secure.
> I presume these AV gateway/firewalls, will still need a pop3 collector software running inside the system to create the mail
> traffic to scan. Any suggestions on good systems to collect the pop3 mail and forward onto Exchange?

Not put the Fortigate just behind your firewall. Working in 'transparent mode', you do not need to modify your routes.
It will inspect all incoming and outgoing packets depending on your configurations and rule sets.
Currently I do not use a POP3 collector nor Exchange. Using Lotus iNotes webmail. All web connections are handled via an ISA server on the DMZ which will forward the traffic to an internal Lotus Domino Mail server.
> Also, what's the normal going rate for one of these boxes?
1.) Annual subscription for the box which includes (AV definitions, IDS, firmware...etc.).

arcascompAuthor Commented:
Thanks to all for your comments. I'm gonna try the GeG's approach so I've accepted his answer, but Tim's points are also very helpful so I've given him as many points.

Shahrial's comments are also correct, just not going in the general direction I'm heading (so far anyway). I feel that there was a bit more info from the other two posters so gave them the lions share.

Sorry for taking so long to close this - can't believe so much time has gone by already!
Hi arcascomp,

I just received a mail that I got points :D. And because of that I reread the posts again. There is a mistake in my post:
[quote from you]Exchange 2003 needs to be on the webmail server if I use the MS OWA stuff. Therefore the Exchange server would have to end up in the DMZ. Other option would be to use a.n.other webmail facility, but I want it to look and feel like an outlook client, including the functionality of a full outlook client, not just email access.[endquote]

I missed that you need to have access to the exchange server from outside. So please don't put it into the internal network. Make a second DMZ.

|            |         |
|            |      DMZ1 (smtpbox)
|     DMZ2 (exchange)

with those rules:
25 on firewall goes to 25 DMZ1
25 from DMZ1 goes to 25 DMZ2
80 on firewall to 80 DMZ2
And the rest like planned before.
arcascompAuthor Commented:
Thanks dude!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.