?
Solved

Publishing Exchanging in ISA 2000 server

Posted on 2004-11-19
6
Medium Priority
?
363 Views
Last Modified: 2013-11-16
I would like to have some advices regarding our DMZ design. The following is the setup

                                              Outside to DMZ(25, 80, 443)
Internet (Outside)----------- PIX --------------------------------(DMZ) {AntiSpam, DNS, Web}
                                         -
                                         -
Outside to Inside (80, 110)   -        DMZ To Inside (25, 1433)
                                         -
                                         -
                                         -
                                         -
                                    (Inside)
                  ISA Server {Published Server: SQL,
        Front-End Exchange 2003(POP3, SMTP, OWA, OMA)}


I would like to know what are the threats by having the POP3 & OWA traffc reaching the inside network as the Fron-End exchange is Published in the ISA server. ?

0
Comment
Question by:mofne
  • 3
  • 2
6 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 12624153
Hi mofne,
The threat is that if there are any vulnerabilities in those services someone could gain access to that machine and from there your entire network.
It would be better to locate the exchange server in the DMZ as ideally you don't want to be redirecting any ports to the inside network. This does mean that the exchange server has to be independant of your internal domain though.
0
 

Author Comment

by:mofne
ID: 12625165
we design the DMZ like this to eliminate opening ports in the ISA server,
for the frond-end exchange to communicate with the back-end exchange server and
the AD for the authentication. If we put the front-end exchange In the DMZ and it been
Compromised the attacker can gain access to the inside network as well

So what other scenarios so you recommend,  thanx  alot for your comments


0
 
LVL 36

Accepted Solution

by:
grblades earned 1000 total points
ID: 12625811
What I would do is move the Exchange server into the DMZ so that no ports need to be redirected to the internal network.
However this does mean that the exchange server will have to be configured as a standalone server or in a separate domain by itself since you don't want to allow it to talk to the internal AD controller.
It would be better to actually have the Exchange server(s) on a second DMZ interface so that you can firewall between the web server and Exchange since most of the security volnerabilities are with IIS.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:mofne
ID: 12626157
thax again,,
Well i never heard of putting Exchange in a separate domain ! but its interesting  i will read a bout it,

just to add something to the full picture, when i talk a bout the inside network here i'm taking about it from
the pix firewall, means the traffic is hitting the outside interface of the ISA, and as we consider the ISA
as the second level firewall.


Actually  im not convinced with this design but I’m tying to find out and highlight the threats, because
our Microsoft expertise see it like this and they introduce this solution to us. But still I didn’t get any
new idea about this issue,

Thanx alt for your help :)
0
 
LVL 7

Assisted Solution

by:JJ2
JJ2 earned 1000 total points
ID: 12638358
0
 

Author Comment

by:mofne
ID: 12639085
Thanx jj2 alot for the helpfull links  
i think i will go through it it seems intresting :)
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 13 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question