Symantec SG5400 Exchange 2003 DMZ or service redirect

Dear All,
i'm Planning to Implement my Internal Mail server Using Exchange 2003
it is past the application optimization mode internally now and i want to publish it online

i did arrange with my DNS provider to change the MX recoreds
and i did buy a Symanatec SGS 5400 series
now i want to deply behind the Gateway
my question
in documented best practce what is better to use
Service redirect
OR
on the SGS DMZ Ports
in ur Opinion what is best and why????

Thanks
LVL 5
webtransAsked:
Who is Participating?
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerConnect With a Mentor IT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Hi Web,

      I've searched Symantec and Microsoft and as I said before, this seems to fall into a gray area.  I've found no documentation, but have had the assistance of 3 of the Symantec Engineers as well as the general guidelines of what DMZ's are and what placement of a server means within the DMZ and on the Private network using a redirect.

You might try the Enterprise support line and see if they have a doc for this.

Thanks again and good luck
Steve
0
 
webtransAuthor Commented:
Hi Guys
Anyone here
should i have posted at some different Place??????
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
My humble opinion,

      Use a service redirect.   At the company I was just at I deployed an SGS 5440 and Exchange 2003 behind the firewall.  By letting the SGS route Port 25 and OWA over port 80 to the Exchange Server behind the firewall, I get the added benefit of using NAT and fully protecting the Exchange Server while having it on the same network as the rest of my domain.  DMZ still hangs it out there with a public IP address and less security.  I believe the service redirect is more secure and easier to manage with rest of my servers.

     When I deployed mine, I spent a day with a couple of the Symantec Enterprise Support Guru's and this is the way they recommended. One caveot, when you do OWA behind the SGS, call the support line as you have to go into the HTTP port 80 Properties and enable Webdav for OWA to work.

Good Luck
Steve
0
The eGuide to Automating Firewall Change Control

Today‚Äôs IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
webtransAuthor Commented:
do u have any document that can aid in proving this to my company
did symantec publish anything in that matter???
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
No,

      I was at an impass in my implementation of the SGS box, so I first called Enterprise Support to get initially setup.  I was replacing a Cisco Pix and had put in the VPN 100 and 200 boxes at all the client locations to connect to this box.  Their Enterprise Support was great with the tech taking a long time to walk me through various configuration issues and to put best practices in use.  I got the mail server setup but was having problems with OWA.  That's when I hooked up with a couple of other folks and spent a day with them on this issue and on the most efficient and secure setup of the SGS.  

     With the Enterprise unit, I'm sure you also got unlimited support.  They are great.
0
 
syn_ack_finCommented:
The 'best practice' recommendation would be to have a system on the DMZ redirect the mail to your exchange server. This is so there is no direct connection from the Internet to your private trusted systems. The SGS appliances use proxies for SMTP, thus are in essence the equivalent of another system. When outside systems attach, they only see the proxy on the SGS, not your Exchange server, thus using a redirect should be OK for SMTP. I don't recommend using it for HTTP for OWA without a front end server on the DMZ. You would be opening up a production server to the world with the most exploited service out there.

To set this up on the SGS, you first need to set up a redirect from the public IP to the private IP and then a rule that allows SMTP from everywhere to the inside system.

Good luck
0
 
webtransAuthor Commented:
Guys
any document Please on How this setup is more secure by Symantec
or any other paper online that can backup this
?
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
I searched high and low when I setup my SGS and have been using their VPN/Firewall appliances for some time, but documentation is scarce to non existant.  I love the product, but could not find any reasonable documentation about how to do these things.   If you print out all, I believe 500+ pages of the manual and read it, (Which I did), you'll find that it is a mirror of what you get by click on the Help Icon within the program.  

This seems to be a gray area, as are many others on the SGS.  To make a Windows VPN work correctly, we had to setup a NAT pool, but you won't find that in any document, that for the VPN with various users to work properly, it needs to be setup this way.  

I agree with syn above, that for the best in security, a front end and back end server is the way to go.  My companies could never justify the expence or administrative overhead of 2 Exchange servers, so we always ran one at each location.  So it gets down to where to put it.  A DMZ by nature is more exposed than a machine Natted behind a firewall.  Sooooo, how much risk are you willing to take and how much protection do you want.  I personally want my single server behind the firewall.  That's my choice based on 27 years of doing this.  I have seen too many DMZ'ed machines trashed by hackers or have the server hijacked. While port 80 can be attacked, to me it is less exposure than having all my ports exposed directly to the Internet where my public IP is just out there ready for abuse.  Your SGS and Windows 2003 security can help to make your mail server secure.  I f you want, use OWA over SSL.  That makes it secure and you won't need port 80.

I don't believe you will find any documentation from Symantec on this.  A general forum may provide some answers or the links I put above might shed some light.  I always hated to have to prove to my bosses in the past that what I wanted to do was the best.  Fortunately the last 7 or 10 years I have had ones that trust my experience, so I make the decisions and let them know what I decide to do.  You're the expert here, not them and you know your network and requirement better than anyone.

Good Luck
Steve
0
 
webtransAuthor Commented:
Steve
your answer are more than helpfull and Informative
and i will definately Give u the points and an A for sure
but at least can u guide me to some place where i can tell him "here see how many DMZ's have been down and hacked"
i guess from what you said you know what i do mean
Urs Sincerely
WebTrans
0
All Courses

From novice to tech pro — start learning today.