Go Premium for a chance to win a PS4. Enter to Win


Symantec SG5400 Exchange 2003 DMZ or service redirect

Posted on 2004-09-19
Medium Priority
Last Modified: 2012-05-05
Dear All,
i'm Planning to Implement my Internal Mail server Using Exchange 2003
it is past the application optimization mode internally now and i want to publish it online

i did arrange with my DNS provider to change the MX recoreds
and i did buy a Symanatec SGS 5400 series
now i want to deply behind the Gateway
my question
in documented best practce what is better to use
Service redirect
on the SGS DMZ Ports
in ur Opinion what is best and why????

Question by:webtrans
  • 4
  • 4

Author Comment

ID: 12095420
Hi Guys
Anyone here
should i have posted at some different Place??????
LVL 18
ID: 12095507
My humble opinion,

      Use a service redirect.   At the company I was just at I deployed an SGS 5440 and Exchange 2003 behind the firewall.  By letting the SGS route Port 25 and OWA over port 80 to the Exchange Server behind the firewall, I get the added benefit of using NAT and fully protecting the Exchange Server while having it on the same network as the rest of my domain.  DMZ still hangs it out there with a public IP address and less security.  I believe the service redirect is more secure and easier to manage with rest of my servers.

     When I deployed mine, I spent a day with a couple of the Symantec Enterprise Support Guru's and this is the way they recommended. One caveot, when you do OWA behind the SGS, call the support line as you have to go into the HTTP port 80 Properties and enable Webdav for OWA to work.

Good Luck

Author Comment

ID: 12095546
do u have any document that can aid in proving this to my company
did symantec publish anything in that matter???

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 18
ID: 12096301

      I was at an impass in my implementation of the SGS box, so I first called Enterprise Support to get initially setup.  I was replacing a Cisco Pix and had put in the VPN 100 and 200 boxes at all the client locations to connect to this box.  Their Enterprise Support was great with the tech taking a long time to walk me through various configuration issues and to put best practices in use.  I got the mail server setup but was having problems with OWA.  That's when I hooked up with a couple of other folks and spent a day with them on this issue and on the most efficient and secure setup of the SGS.  

     With the Enterprise unit, I'm sure you also got unlimited support.  They are great.

Expert Comment

ID: 12097877
The 'best practice' recommendation would be to have a system on the DMZ redirect the mail to your exchange server. This is so there is no direct connection from the Internet to your private trusted systems. The SGS appliances use proxies for SMTP, thus are in essence the equivalent of another system. When outside systems attach, they only see the proxy on the SGS, not your Exchange server, thus using a redirect should be OK for SMTP. I don't recommend using it for HTTP for OWA without a front end server on the DMZ. You would be opening up a production server to the world with the most exploited service out there.

To set this up on the SGS, you first need to set up a redirect from the public IP to the private IP and then a rule that allows SMTP from everywhere to the inside system.

Good luck

Author Comment

ID: 12100712
any document Please on How this setup is more secure by Symantec
or any other paper online that can backup this
LVL 18
ID: 12101031
I searched high and low when I setup my SGS and have been using their VPN/Firewall appliances for some time, but documentation is scarce to non existant.  I love the product, but could not find any reasonable documentation about how to do these things.   If you print out all, I believe 500+ pages of the manual and read it, (Which I did), you'll find that it is a mirror of what you get by click on the Help Icon within the program.  

This seems to be a gray area, as are many others on the SGS.  To make a Windows VPN work correctly, we had to setup a NAT pool, but you won't find that in any document, that for the VPN with various users to work properly, it needs to be setup this way.  

I agree with syn above, that for the best in security, a front end and back end server is the way to go.  My companies could never justify the expence or administrative overhead of 2 Exchange servers, so we always ran one at each location.  So it gets down to where to put it.  A DMZ by nature is more exposed than a machine Natted behind a firewall.  Sooooo, how much risk are you willing to take and how much protection do you want.  I personally want my single server behind the firewall.  That's my choice based on 27 years of doing this.  I have seen too many DMZ'ed machines trashed by hackers or have the server hijacked. While port 80 can be attacked, to me it is less exposure than having all my ports exposed directly to the Internet where my public IP is just out there ready for abuse.  Your SGS and Windows 2003 security can help to make your mail server secure.  I f you want, use OWA over SSL.  That makes it secure and you won't need port 80.

I don't believe you will find any documentation from Symantec on this.  A general forum may provide some answers or the links I put above might shed some light.  I always hated to have to prove to my bosses in the past that what I wanted to do was the best.  Fortunately the last 7 or 10 years I have had ones that trust my experience, so I make the decisions and let them know what I decide to do.  You're the expert here, not them and you know your network and requirement better than anyone.

Good Luck

Author Comment

ID: 12102778
your answer are more than helpfull and Informative
and i will definately Give u the points and an A for sure
but at least can u guide me to some place where i can tell him "here see how many DMZ's have been down and hacked"
i guess from what you said you know what i do mean
Urs Sincerely
LVL 18

Accepted Solution

Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security Officer earned 2000 total points
ID: 12108971
Hi Web,

      I've searched Symantec and Microsoft and as I said before, this seems to fall into a gray area.  I've found no documentation, but have had the assistance of 3 of the Symantec Engineers as well as the general guidelines of what DMZ's are and what placement of a server means within the DMZ and on the Private network using a redirect.

You might try the Enterprise support line and see if they have a doc for this.

Thanks again and good luck

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question