?
Solved

Placement of OWA during install

Posted on 2004-09-02
7
Medium Priority
?
199 Views
Last Modified: 2008-03-06
Hi all

I have just deployed Exchange 2003 and had a few queries regarding the deployment of OWA. I am going to place my box in the DMZ.  According to the KB articles I have opened all the relevant ports ( 80, 443, 389, 3268) .

Can I install the system as a FE server on my internal network and then deploy it on the DMZ
As when its on the DMZ it wont allow me to  even add it to the domain.

Thanks

Johnson





0
Comment
Question by:ferraoj
  • 2
4 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 11966713
I wouldn't place an Exchange server in the DMZ. Bad idea. I would never suggest putting a domain member on the DMZ.
Leave the machine on your main network and punch just 443 through the firewall. The whole point of a firewall is to have as few ports open as possible but the number of ports that you need to open for an Exchange server to communicate with the domain makes your firewall look like swiss cheese and provide naff all security.

If a domain member in the DMZ gets compromised the attacker has a clear run through to your main network. Whereas opening just 443 provides the least risk.

Simon.
0
 

Author Comment

by:ferraoj
ID: 11966795
Just a clarification

I am putting my Exchange server in my DMZ( which is on a completely different network)  on my PIX.
The Microsoft KB articles clearly mention to put the Exchange OWA server on the DMZ and so too other articles.

I am not configuring the box as a Domain controller. Just want to make it a member of the domain.

So if I dont make the box a member of the domain. How can I install exchange 2003 as my front end server

http://www.winnetmag.com/Article/ArticleID/23653/23653.html

The above was one of the articles I was refering to

thanks

again
0
 
LVL 11

Expert Comment

by:infotrader
ID: 11966990
Whether to put Exchange in the DMZ has been a long debate for IT professionals.  It really depends on what you'd like to do with your Exchange server.

If you do not host email for others outside of your company, putting inside and open up ports in your firewall (or port-forwarding) might be a much easier and better way to do it.

To do so, just place the Exchange server on your LAN.  Forward all requests for port 80 (if you like to use unencrypted HTTP), 443 (SSL), 25 (For SMTP), and you are ready to go.  You can add more port forwarding functions such as NNTP or POP3 if you use newsgroups or POP3.

Once you do that, it's your front End Exchange Server but sitting behind your firewall!!

- Info
0
 
LVL 104

Accepted Solution

by:
Sembee earned 200 total points
ID: 11967506
It doesn't matter whether the machine is a domain controller or not. Being a member of the domain is enough to make it a risk to put a machine in the DMZ.
I only put standalone servers in the DMZ, which are part of a workgroup. This rules out putting Exchange on it.

To quote an Exchange MVP, there are NO valid reasons to put OWA in the DMZ.

The article you have quoted is 2 years old and doesn't even cover Exchange 2003.
A lot has changed in two years including attacks on Exchange servers - Windows servers are one of the top targets now. Exchange servers even more so with spammers looking for new targets to send their material through.
While Microsoft may give articles on putting Exchange in to a DMZ that is like me quoting you an article that tells you how to drive your car in heavy snow. You can do it, but it isn't recommended and should be avoided.

You are obviously concerned for security, so open the least ports possible. 443 and 25 are now the only ports open to the Internet on most networks that I manage.

Simon.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month16 days, 16 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question