Solved

Placement of OWA during install

Posted on 2004-09-02
7
186 Views
Last Modified: 2008-03-06
Hi all

I have just deployed Exchange 2003 and had a few queries regarding the deployment of OWA. I am going to place my box in the DMZ.  According to the KB articles I have opened all the relevant ports ( 80, 443, 389, 3268) .

Can I install the system as a FE server on my internal network and then deploy it on the DMZ
As when its on the DMZ it wont allow me to  even add it to the domain.

Thanks

Johnson





0
Comment
Question by:ferraoj
  • 2
7 Comments
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
I wouldn't place an Exchange server in the DMZ. Bad idea. I would never suggest putting a domain member on the DMZ.
Leave the machine on your main network and punch just 443 through the firewall. The whole point of a firewall is to have as few ports open as possible but the number of ports that you need to open for an Exchange server to communicate with the domain makes your firewall look like swiss cheese and provide naff all security.

If a domain member in the DMZ gets compromised the attacker has a clear run through to your main network. Whereas opening just 443 provides the least risk.

Simon.
0
 

Author Comment

by:ferraoj
Comment Utility
Just a clarification

I am putting my Exchange server in my DMZ( which is on a completely different network)  on my PIX.
The Microsoft KB articles clearly mention to put the Exchange OWA server on the DMZ and so too other articles.

I am not configuring the box as a Domain controller. Just want to make it a member of the domain.

So if I dont make the box a member of the domain. How can I install exchange 2003 as my front end server

http://www.winnetmag.com/Article/ArticleID/23653/23653.html

The above was one of the articles I was refering to

thanks

again
0
 
LVL 11

Expert Comment

by:infotrader
Comment Utility
Whether to put Exchange in the DMZ has been a long debate for IT professionals.  It really depends on what you'd like to do with your Exchange server.

If you do not host email for others outside of your company, putting inside and open up ports in your firewall (or port-forwarding) might be a much easier and better way to do it.

To do so, just place the Exchange server on your LAN.  Forward all requests for port 80 (if you like to use unencrypted HTTP), 443 (SSL), 25 (For SMTP), and you are ready to go.  You can add more port forwarding functions such as NNTP or POP3 if you use newsgroups or POP3.

Once you do that, it's your front End Exchange Server but sitting behind your firewall!!

- Info
0
 
LVL 104

Accepted Solution

by:
Sembee earned 50 total points
Comment Utility
It doesn't matter whether the machine is a domain controller or not. Being a member of the domain is enough to make it a risk to put a machine in the DMZ.
I only put standalone servers in the DMZ, which are part of a workgroup. This rules out putting Exchange on it.

To quote an Exchange MVP, there are NO valid reasons to put OWA in the DMZ.

The article you have quoted is 2 years old and doesn't even cover Exchange 2003.
A lot has changed in two years including attacks on Exchange servers - Windows servers are one of the top targets now. Exchange servers even more so with spammers looking for new targets to send their material through.
While Microsoft may give articles on putting Exchange in to a DMZ that is like me quoting you an article that tells you how to drive your car in heavy snow. You can do it, but it isn't recommended and should be avoided.

You are obviously concerned for security, so open the least ports possible. 443 and 25 are now the only ports open to the Internet on most networks that I manage.

Simon.
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Suggested Solutions

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now