I need some input on justifying moving an Exchange front-end server into a DMZ network.
When implementing a front-end Exchange server in a DMZ network you only have to open ports 25 and 443 from the internet to the DMZ network. You then have to open a series of ports from the DMZ network to the DC. When running without a DMZ network the front-end server has full access to the LAN network and DC, not just specified ports. How is running an Exchange front-end server in a DMZ network less secure than running it with the other severs in the LAN network? It seems to be more secure for it can only attack the DC and nothing else on the LAN network. The same amount of ports are open from the internet to the front-end server regarless of it being in a DMZ network, or, being in the LAN network. Now, given the ports open from the DMZ network to the DC allows an attack from the front-end server to the DC regardless of it being in a DMZ network. It almost seems pointless, but I wouldn’t say less secure. If the front-end server is compromised it can only attack the DC, not the whole LAN network. So, basically, it seems the benefits of the front-end server being in a DMZ network is that it can only attack the DC. However, the front-end server NOT being in the DMZ network will allow an attack on ANYTHING on the LAN network, this includes the DC. It seems to be a little more secure, but not a whole lot.
What are everyone’s thoughts? It almost doesn’t seem worth it, or, of much value placing the front-end server in a DMZ network for it only protects attacks on your LAN network and not the DC.