Solved

Exchange 2003 OWA and Pix

Posted on 2004-09-01
10
485 Views
Last Modified: 2013-11-16
Can someone please advice on the right solution and configuration? Here is a little background on the network.
Internet
    |
    |
Router
    |
    |
 Pix------DMZ with I want to put the web server and ftp server here and use Port redirection
   |
   |
Private Lan(inside) with Active Directory DC, and DNS.

 Two public IPs one for F/0 and one for outside pix. I need to have the exchange 2003 server work with smtp and owa. The question is where should I put the server in the dmz or the inside and then use port redirection. I am also wondering if I should get an isa server involved in the dmz maybe that will make things easier?  thanks
0
Comment
Question by:mcfr6070
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 7

Expert Comment

by:tonyteri
ID: 11954088
OK, you may not need the isa server, as you have apix.  The ISA server provides firewall functrions as well.  

You could put the Exchange Server (Assure it is a member server and not a DC), on the DMZ.  This will leave the ports open that you need.  And set up the Access lists on the PIX to redirect from the Exch box to the inside.

Or,

Keep the Exchange Server behind the firewall, opening up the ports you need 80, 110.  I'll monitor this post if I can be of any further help.

Tony
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11954666
Putting the Exchange server in the DMZ will cause multiple headaches in trying to get all the right ports through the firewall for the Active Directory and authentication to work properly. Then you have swiss-cheese firewall between the dmz and the inside.

Much easier to simply keep the Exchange server on the inside.
On the PIX, you must disable fixup protocol smtp 25 regarless of where you put the server.

Best practice would be to have a SMTP mail relay host in the DMZ that accepts outside mail and forwards it all to the Exchange server, and it acts as Exchange's outbound host. Add AV and malware screening on this device and you've increased your security several fold.
A separate OWA front-end server is also recommended, but optional.
Enable SSL on OWA so that all access is via https://

Keep the ISA server on the inside as a one-NIC Proxy server to cache web pages to improve users' web browsing experience.

0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 250 total points
ID: 11957543
================
SOLUTION DESIGN
================

1) No need for an ISA server

2) Place the Exchange server in the DMZ and allow the inside network full access to this server. However, allow only TCP PORT 25 access from the outside to this Exchange server.



========================
SOLUTION CONFIGURATION
========================

1) Assume the following IP addresses:

Exchange server has a private inside IP of 10.1.1.23
IP on PIX's outside interface is 64.1.1.1
IP on PIX's DMZ interface is 10.1.1.1
IP network on inside is 172.16.3.0

2) Configure these statics

static (inside,outside) tcp interface 25 10.1.1.23 25
static (inside,dmz) 172.16.3.0 172.16.3.0

3) Configure these access lists
access-list 80 permit tcp any interface outside eq 25
access-list 81 permit ip 172.16.3.0 255.255.255.0 host 10.1.1.23


0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mcfr6070
ID: 11957724
As far as the mail relay host, what kind of software is that? Or is that just exchange 2003 setup to forward mail to the inside exchange 03?
I think to save some headaches I’m going to put it in the inside, however if I put the exchange 2003 server in the inside could I also use it as an OWA or would it not be secure? thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11958015
For the mail relay, I'm thinking something like the new Ironport appliance:
http://www.ironport.com/
Or St. Bernard:
http://www.spam-filters.stbernard.com/secured-foundation.html

Or a linux box with something like Open Relay:
http://www.ordb.org/faq/
Or Sendmail:
http://www.sendmail.org/tips/relaying.html
Or ClarkConnect:
http://www.clarkconnect.com/webapp/moduleinfo.jsp?id=46

As long as you enable SSl and use HTTPS to access OWA, and port-forward only port 443, then you should be fine with OWA on the same server.
0
 
LVL 11

Expert Comment

by:billwharton
ID: 11958035
1) Yes, a mail relay does the job of accepting and sending mail on your exchange server's behalf. Experts consider this as a security enhancement since Internet users would only have access to your mail relay host which does not really store any mail, just relays it one way or the other.

2) Sure, you could put the Exchange server on the inside. Why it's suggested to put it in the DMZ is because your DMZ and inside interfaces sit on different security levels and if a server in the DMZ is compromised, the attacker is still not able to penetrate into the inside server thorugh the compromised server.

However, if you want to take the easy way out, you can harden the OS on the exchange server and only allow tcp port 25 in and out.
0
 

Author Comment

by:mcfr6070
ID: 11958271
Billwharton will I have any problems with the authentication of the mail server to the DC in the inside? Right now it uses the dc to authentic and is part of the Active Directory. Also the ACLs are applied to which interface ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11958416
Have you seen the port requirements for Active directory servers?
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

Note the numerous "Randomly allocated high TCP ports" for different protocols.

Ports 135 and 445 absolutely must be left open, and these two are the most common used to compromise another system.

The ACLS would have to be applied
to the outside interface (permiting only port 25 and 443 inbound from 'any')
to the DMZ interface permitting IP from DMZ subnet to internal subnet, and outbound ports 25, 53, 443 and 80 to "any" which includes internal systems.

0
 
LVL 11

Expert Comment

by:billwharton
ID: 11959189
Hope======================
ACCESS LISTS PLACEMENT
======================
These were the access lists from my previous post:

access-list 80 permit tcp any interface outside eq 25
---> This is applied to the outside interface.

access-list 81 permit ip 172.16.3.0 255.255.255.0 host 10.1.1.23
---> This is applied to the DMZ interface.




==========================================
COMMUNICATION BETWEEN DC & EXCHANGE SERVER
==========================================
There is a very simple solution I always use when two AD servers reside on different interfaces of the PIX firewall. Refer to this document which explains you how to set up IPSEC between two or more Windows 2000 servers
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

It's a long document but it takes under 1/2 hour to actually implement IPSEC. Once you have accomplished that, you would only need to open up 2-3 ports between your PIX interfaces and all communications between your servers would take place over these IPSEC ports.

I also find it a very good practice using IPSEC between Windows servers as all that critical AD information shouldn't be in the open. Let me know if you actually want to implement this and I would send you the configuration lines you would need on the PIX.

Best of luck :)
0
 

Author Comment

by:mcfr6070
ID: 11980236
Sorry for the delay. I decided to go with Irmoore’s solutions because I do not have much time to implement this and it seems less painful however I would like to try to set up bills setup once  I get a lab going. Unfortunately, I have never worked with ipsec, so it might take some time to figure it out. Billwharton I wouldn't mind have the config so when I get the lab set up.  My question was answered however I truly need help with Irmoore's config. I opened another question with some more points towards the config. Below is the link to the new question.  Thank you both for your help.

http://www.experts-exchange.com/Security/Firewalls/Q_21119127.html
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question