Solved

Symantec SG5400 Exchange 2003 DMZ or service redirect

Posted on 2004-09-19
9
555 Views
Last Modified: 2012-05-05
Dear All,
i'm Planning to Implement my Internal Mail server Using Exchange 2003
it is past the application optimization mode internally now and i want to publish it online

i did arrange with my DNS provider to change the MX recoreds
and i did buy a Symanatec SGS 5400 series
now i want to deply behind the Gateway
my question
in documented best practce what is better to use
Service redirect
OR
on the SGS DMZ Ports
in ur Opinion what is best and why????

Thanks
0
Comment
Question by:webtrans
  • 4
  • 4
9 Comments
 
LVL 5

Author Comment

by:webtrans
Comment Utility
Hi Guys
Anyone here
should i have posted at some different Place??????
0
 
LVL 16

Expert Comment

by:samccarthy
Comment Utility
My humble opinion,

      Use a service redirect.   At the company I was just at I deployed an SGS 5440 and Exchange 2003 behind the firewall.  By letting the SGS route Port 25 and OWA over port 80 to the Exchange Server behind the firewall, I get the added benefit of using NAT and fully protecting the Exchange Server while having it on the same network as the rest of my domain.  DMZ still hangs it out there with a public IP address and less security.  I believe the service redirect is more secure and easier to manage with rest of my servers.

     When I deployed mine, I spent a day with a couple of the Symantec Enterprise Support Guru's and this is the way they recommended. One caveot, when you do OWA behind the SGS, call the support line as you have to go into the HTTP port 80 Properties and enable Webdav for OWA to work.

Good Luck
Steve
0
 
LVL 5

Author Comment

by:webtrans
Comment Utility
do u have any document that can aid in proving this to my company
did symantec publish anything in that matter???
0
 
LVL 16

Expert Comment

by:samccarthy
Comment Utility
No,

      I was at an impass in my implementation of the SGS box, so I first called Enterprise Support to get initially setup.  I was replacing a Cisco Pix and had put in the VPN 100 and 200 boxes at all the client locations to connect to this box.  Their Enterprise Support was great with the tech taking a long time to walk me through various configuration issues and to put best practices in use.  I got the mail server setup but was having problems with OWA.  That's when I hooked up with a couple of other folks and spent a day with them on this issue and on the most efficient and secure setup of the SGS.  

     With the Enterprise unit, I'm sure you also got unlimited support.  They are great.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:syn_ack_fin
Comment Utility
The 'best practice' recommendation would be to have a system on the DMZ redirect the mail to your exchange server. This is so there is no direct connection from the Internet to your private trusted systems. The SGS appliances use proxies for SMTP, thus are in essence the equivalent of another system. When outside systems attach, they only see the proxy on the SGS, not your Exchange server, thus using a redirect should be OK for SMTP. I don't recommend using it for HTTP for OWA without a front end server on the DMZ. You would be opening up a production server to the world with the most exploited service out there.

To set this up on the SGS, you first need to set up a redirect from the public IP to the private IP and then a rule that allows SMTP from everywhere to the inside system.

Good luck
0
 
LVL 5

Author Comment

by:webtrans
Comment Utility
Guys
any document Please on How this setup is more secure by Symantec
or any other paper online that can backup this
?
0
 
LVL 16

Expert Comment

by:samccarthy
Comment Utility
I searched high and low when I setup my SGS and have been using their VPN/Firewall appliances for some time, but documentation is scarce to non existant.  I love the product, but could not find any reasonable documentation about how to do these things.   If you print out all, I believe 500+ pages of the manual and read it, (Which I did), you'll find that it is a mirror of what you get by click on the Help Icon within the program.  

This seems to be a gray area, as are many others on the SGS.  To make a Windows VPN work correctly, we had to setup a NAT pool, but you won't find that in any document, that for the VPN with various users to work properly, it needs to be setup this way.  

I agree with syn above, that for the best in security, a front end and back end server is the way to go.  My companies could never justify the expence or administrative overhead of 2 Exchange servers, so we always ran one at each location.  So it gets down to where to put it.  A DMZ by nature is more exposed than a machine Natted behind a firewall.  Sooooo, how much risk are you willing to take and how much protection do you want.  I personally want my single server behind the firewall.  That's my choice based on 27 years of doing this.  I have seen too many DMZ'ed machines trashed by hackers or have the server hijacked. While port 80 can be attacked, to me it is less exposure than having all my ports exposed directly to the Internet where my public IP is just out there ready for abuse.  Your SGS and Windows 2003 security can help to make your mail server secure.  I f you want, use OWA over SSL.  That makes it secure and you won't need port 80.

I don't believe you will find any documentation from Symantec on this.  A general forum may provide some answers or the links I put above might shed some light.  I always hated to have to prove to my bosses in the past that what I wanted to do was the best.  Fortunately the last 7 or 10 years I have had ones that trust my experience, so I make the decisions and let them know what I decide to do.  You're the expert here, not them and you know your network and requirement better than anyone.

Good Luck
Steve
0
 
LVL 5

Author Comment

by:webtrans
Comment Utility
Steve
your answer are more than helpfull and Informative
and i will definately Give u the points and an A for sure
but at least can u guide me to some place where i can tell him "here see how many DMZ's have been down and hacked"
i guess from what you said you know what i do mean
Urs Sincerely
WebTrans
0
 
LVL 16

Accepted Solution

by:
samccarthy earned 500 total points
Comment Utility
Hi Web,

      I've searched Symantec and Microsoft and as I said before, this seems to fall into a gray area.  I've found no documentation, but have had the assistance of 3 of the Symantec Engineers as well as the general guidelines of what DMZ's are and what placement of a server means within the DMZ and on the Private network using a redirect.

You might try the Enterprise support line and see if they have a doc for this.

Thanks again and good luck
Steve
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now