I need some advise please on the best way to setup Exchange 2003 Front-end / Back-end topology securely.
I have read many techincal documents with conflicting methods and I am confused about the best approach for us.
We are a small non-profit organisation, single site, single domain, all servers running Windows 2003.
Our current setup is two Exchange 2003 servers one front-end one back-end, both currently sat on the internal LAN.
We are using a Watchguard Firebox X700 firewall which is currently Natting through port 443 SSL for OWA and port 25 SMTP to the front-end Exchange server.
I am also able to configure remote laptops using Outlook 2003 for use with RPC over HTTP which means we no longer need VPN's on the laptops but can still connect to the Exchange server. The front-end Exchange server is also the RPC-Proxy.
My original plan was to put the new front-end Exchange server in to the DMZ of the firebox firewall and open the nessecary ports
from the DMZ to in internal network so the front-end server could communitcate with the DC's, GC's etc.
However the more I read about front-end / back-end Exchange setups the more I think this might not be the best way as you end up with lots of ports open from the DMZ to the internal LAN.
All the Microsoft documentation recommends using ISA Server. I am not sure I can afford yet another box and an ISA licence
as its all getting rather expensive.
Could I leave the setup as it is? or is that not secure enough?
Should I use IP/SEC between the front-end / back-end Exchange servers and how do I go about setting that up?
Should I run the Security Configuration Wizard that is part of Windows to hardern the front-end Exchange server or should I use the default security templates instead?
This was an interesting article on why DMZ's might not be as affective as you think:
What would you recommend for our organisation?