Solved

Exchange 2003 OWA and Pix

Posted on 2004-09-01
10
448 Views
Last Modified: 2013-11-16
Can someone please advice on the right solution and configuration? Here is a little background on the network.
Internet
    |
    |
Router
    |
    |
 Pix------DMZ with I want to put the web server and ftp server here and use Port redirection
   |
   |
Private Lan(inside) with Active Directory DC, and DNS.

 Two public IPs one for F/0 and one for outside pix. I need to have the exchange 2003 server work with smtp and owa. The question is where should I put the server in the dmz or the inside and then use port redirection. I am also wondering if I should get an isa server involved in the dmz maybe that will make things easier?  thanks
0
Comment
Question by:mcfr6070
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 7

Expert Comment

by:tonyteri
ID: 11954088
OK, you may not need the isa server, as you have apix.  The ISA server provides firewall functrions as well.  

You could put the Exchange Server (Assure it is a member server and not a DC), on the DMZ.  This will leave the ports open that you need.  And set up the Access lists on the PIX to redirect from the Exch box to the inside.

Or,

Keep the Exchange Server behind the firewall, opening up the ports you need 80, 110.  I'll monitor this post if I can be of any further help.

Tony
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11954666
Putting the Exchange server in the DMZ will cause multiple headaches in trying to get all the right ports through the firewall for the Active Directory and authentication to work properly. Then you have swiss-cheese firewall between the dmz and the inside.

Much easier to simply keep the Exchange server on the inside.
On the PIX, you must disable fixup protocol smtp 25 regarless of where you put the server.

Best practice would be to have a SMTP mail relay host in the DMZ that accepts outside mail and forwards it all to the Exchange server, and it acts as Exchange's outbound host. Add AV and malware screening on this device and you've increased your security several fold.
A separate OWA front-end server is also recommended, but optional.
Enable SSL on OWA so that all access is via https://

Keep the ISA server on the inside as a one-NIC Proxy server to cache web pages to improve users' web browsing experience.

0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 250 total points
ID: 11957543
================
SOLUTION DESIGN
================

1) No need for an ISA server

2) Place the Exchange server in the DMZ and allow the inside network full access to this server. However, allow only TCP PORT 25 access from the outside to this Exchange server.



========================
SOLUTION CONFIGURATION
========================

1) Assume the following IP addresses:

Exchange server has a private inside IP of 10.1.1.23
IP on PIX's outside interface is 64.1.1.1
IP on PIX's DMZ interface is 10.1.1.1
IP network on inside is 172.16.3.0

2) Configure these statics

static (inside,outside) tcp interface 25 10.1.1.23 25
static (inside,dmz) 172.16.3.0 172.16.3.0

3) Configure these access lists
access-list 80 permit tcp any interface outside eq 25
access-list 81 permit ip 172.16.3.0 255.255.255.0 host 10.1.1.23


0
 

Author Comment

by:mcfr6070
ID: 11957724
As far as the mail relay host, what kind of software is that? Or is that just exchange 2003 setup to forward mail to the inside exchange 03?
I think to save some headaches I’m going to put it in the inside, however if I put the exchange 2003 server in the inside could I also use it as an OWA or would it not be secure? thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11958015
For the mail relay, I'm thinking something like the new Ironport appliance:
http://www.ironport.com/
Or St. Bernard:
http://www.spam-filters.stbernard.com/secured-foundation.html

Or a linux box with something like Open Relay:
http://www.ordb.org/faq/
Or Sendmail:
http://www.sendmail.org/tips/relaying.html
Or ClarkConnect:
http://www.clarkconnect.com/webapp/moduleinfo.jsp?id=46

As long as you enable SSl and use HTTPS to access OWA, and port-forward only port 443, then you should be fine with OWA on the same server.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 11

Expert Comment

by:billwharton
ID: 11958035
1) Yes, a mail relay does the job of accepting and sending mail on your exchange server's behalf. Experts consider this as a security enhancement since Internet users would only have access to your mail relay host which does not really store any mail, just relays it one way or the other.

2) Sure, you could put the Exchange server on the inside. Why it's suggested to put it in the DMZ is because your DMZ and inside interfaces sit on different security levels and if a server in the DMZ is compromised, the attacker is still not able to penetrate into the inside server thorugh the compromised server.

However, if you want to take the easy way out, you can harden the OS on the exchange server and only allow tcp port 25 in and out.
0
 

Author Comment

by:mcfr6070
ID: 11958271
Billwharton will I have any problems with the authentication of the mail server to the DC in the inside? Right now it uses the dc to authentic and is part of the Active Directory. Also the ACLs are applied to which interface ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11958416
Have you seen the port requirements for Active directory servers?
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

Note the numerous "Randomly allocated high TCP ports" for different protocols.

Ports 135 and 445 absolutely must be left open, and these two are the most common used to compromise another system.

The ACLS would have to be applied
to the outside interface (permiting only port 25 and 443 inbound from 'any')
to the DMZ interface permitting IP from DMZ subnet to internal subnet, and outbound ports 25, 53, 443 and 80 to "any" which includes internal systems.

0
 
LVL 11

Expert Comment

by:billwharton
ID: 11959189
Hope======================
ACCESS LISTS PLACEMENT
======================
These were the access lists from my previous post:

access-list 80 permit tcp any interface outside eq 25
---> This is applied to the outside interface.

access-list 81 permit ip 172.16.3.0 255.255.255.0 host 10.1.1.23
---> This is applied to the DMZ interface.




==========================================
COMMUNICATION BETWEEN DC & EXCHANGE SERVER
==========================================
There is a very simple solution I always use when two AD servers reside on different interfaces of the PIX firewall. Refer to this document which explains you how to set up IPSEC between two or more Windows 2000 servers
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

It's a long document but it takes under 1/2 hour to actually implement IPSEC. Once you have accomplished that, you would only need to open up 2-3 ports between your PIX interfaces and all communications between your servers would take place over these IPSEC ports.

I also find it a very good practice using IPSEC between Windows servers as all that critical AD information shouldn't be in the open. Let me know if you actually want to implement this and I would send you the configuration lines you would need on the PIX.

Best of luck :)
0
 

Author Comment

by:mcfr6070
ID: 11980236
Sorry for the delay. I decided to go with Irmoore’s solutions because I do not have much time to implement this and it seems less painful however I would like to try to set up bills setup once  I get a lab going. Unfortunately, I have never worked with ipsec, so it might take some time to figure it out. Billwharton I wouldn't mind have the config so when I get the lab set up.  My question was answered however I truly need help with Irmoore's config. I opened another question with some more points towards the config. Below is the link to the new question.  Thank you both for your help.

http://www.experts-exchange.com/Security/Firewalls/Q_21119127.html
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now