Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Exchange 2003 OWA and Pix

Posted on 2004-09-01
10
Medium Priority
?
494 Views
Last Modified: 2013-11-16
Can someone please advice on the right solution and configuration? Here is a little background on the network.
Internet
    |
    |
Router
    |
    |
 Pix------DMZ with I want to put the web server and ftp server here and use Port redirection
   |
   |
Private Lan(inside) with Active Directory DC, and DNS.

 Two public IPs one for F/0 and one for outside pix. I need to have the exchange 2003 server work with smtp and owa. The question is where should I put the server in the dmz or the inside and then use port redirection. I am also wondering if I should get an isa server involved in the dmz maybe that will make things easier?  thanks
0
Comment
Question by:mcfr6070
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 7

Expert Comment

by:tonyteri
ID: 11954088
OK, you may not need the isa server, as you have apix.  The ISA server provides firewall functrions as well.  

You could put the Exchange Server (Assure it is a member server and not a DC), on the DMZ.  This will leave the ports open that you need.  And set up the Access lists on the PIX to redirect from the Exch box to the inside.

Or,

Keep the Exchange Server behind the firewall, opening up the ports you need 80, 110.  I'll monitor this post if I can be of any further help.

Tony
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 11954666
Putting the Exchange server in the DMZ will cause multiple headaches in trying to get all the right ports through the firewall for the Active Directory and authentication to work properly. Then you have swiss-cheese firewall between the dmz and the inside.

Much easier to simply keep the Exchange server on the inside.
On the PIX, you must disable fixup protocol smtp 25 regarless of where you put the server.

Best practice would be to have a SMTP mail relay host in the DMZ that accepts outside mail and forwards it all to the Exchange server, and it acts as Exchange's outbound host. Add AV and malware screening on this device and you've increased your security several fold.
A separate OWA front-end server is also recommended, but optional.
Enable SSL on OWA so that all access is via https://

Keep the ISA server on the inside as a one-NIC Proxy server to cache web pages to improve users' web browsing experience.

0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 1000 total points
ID: 11957543
================
SOLUTION DESIGN
================

1) No need for an ISA server

2) Place the Exchange server in the DMZ and allow the inside network full access to this server. However, allow only TCP PORT 25 access from the outside to this Exchange server.



========================
SOLUTION CONFIGURATION
========================

1) Assume the following IP addresses:

Exchange server has a private inside IP of 10.1.1.23
IP on PIX's outside interface is 64.1.1.1
IP on PIX's DMZ interface is 10.1.1.1
IP network on inside is 172.16.3.0

2) Configure these statics

static (inside,outside) tcp interface 25 10.1.1.23 25
static (inside,dmz) 172.16.3.0 172.16.3.0

3) Configure these access lists
access-list 80 permit tcp any interface outside eq 25
access-list 81 permit ip 172.16.3.0 255.255.255.0 host 10.1.1.23


0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:mcfr6070
ID: 11957724
As far as the mail relay host, what kind of software is that? Or is that just exchange 2003 setup to forward mail to the inside exchange 03?
I think to save some headaches I’m going to put it in the inside, however if I put the exchange 2003 server in the inside could I also use it as an OWA or would it not be secure? thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11958015
For the mail relay, I'm thinking something like the new Ironport appliance:
http://www.ironport.com/
Or St. Bernard:
http://www.spam-filters.stbernard.com/secured-foundation.html

Or a linux box with something like Open Relay:
http://www.ordb.org/faq/
Or Sendmail:
http://www.sendmail.org/tips/relaying.html
Or ClarkConnect:
http://www.clarkconnect.com/webapp/moduleinfo.jsp?id=46

As long as you enable SSl and use HTTPS to access OWA, and port-forward only port 443, then you should be fine with OWA on the same server.
0
 
LVL 11

Expert Comment

by:billwharton
ID: 11958035
1) Yes, a mail relay does the job of accepting and sending mail on your exchange server's behalf. Experts consider this as a security enhancement since Internet users would only have access to your mail relay host which does not really store any mail, just relays it one way or the other.

2) Sure, you could put the Exchange server on the inside. Why it's suggested to put it in the DMZ is because your DMZ and inside interfaces sit on different security levels and if a server in the DMZ is compromised, the attacker is still not able to penetrate into the inside server thorugh the compromised server.

However, if you want to take the easy way out, you can harden the OS on the exchange server and only allow tcp port 25 in and out.
0
 

Author Comment

by:mcfr6070
ID: 11958271
Billwharton will I have any problems with the authentication of the mail server to the DC in the inside? Right now it uses the dc to authentic and is part of the Active Directory. Also the ACLs are applied to which interface ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11958416
Have you seen the port requirements for Active directory servers?
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

Note the numerous "Randomly allocated high TCP ports" for different protocols.

Ports 135 and 445 absolutely must be left open, and these two are the most common used to compromise another system.

The ACLS would have to be applied
to the outside interface (permiting only port 25 and 443 inbound from 'any')
to the DMZ interface permitting IP from DMZ subnet to internal subnet, and outbound ports 25, 53, 443 and 80 to "any" which includes internal systems.

0
 
LVL 11

Expert Comment

by:billwharton
ID: 11959189
Hope======================
ACCESS LISTS PLACEMENT
======================
These were the access lists from my previous post:

access-list 80 permit tcp any interface outside eq 25
---> This is applied to the outside interface.

access-list 81 permit ip 172.16.3.0 255.255.255.0 host 10.1.1.23
---> This is applied to the DMZ interface.




==========================================
COMMUNICATION BETWEEN DC & EXCHANGE SERVER
==========================================
There is a very simple solution I always use when two AD servers reside on different interfaces of the PIX firewall. Refer to this document which explains you how to set up IPSEC between two or more Windows 2000 servers
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

It's a long document but it takes under 1/2 hour to actually implement IPSEC. Once you have accomplished that, you would only need to open up 2-3 ports between your PIX interfaces and all communications between your servers would take place over these IPSEC ports.

I also find it a very good practice using IPSEC between Windows servers as all that critical AD information shouldn't be in the open. Let me know if you actually want to implement this and I would send you the configuration lines you would need on the PIX.

Best of luck :)
0
 

Author Comment

by:mcfr6070
ID: 11980236
Sorry for the delay. I decided to go with Irmoore’s solutions because I do not have much time to implement this and it seems less painful however I would like to try to set up bills setup once  I get a lab going. Unfortunately, I have never worked with ipsec, so it might take some time to figure it out. Billwharton I wouldn't mind have the config so when I get the lab set up.  My question was answered however I truly need help with Irmoore's config. I opened another question with some more points towards the config. Below is the link to the new question.  Thank you both for your help.

http://www.experts-exchange.com/Security/Firewalls/Q_21119127.html
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question