How do I relocate an Exchange 2003 server behind a Kerio WinRoute Firewall?

Posted on 2006-05-22
Last Modified: 2013-11-16
My Exchange server is currently sitting outside our firewall.  It is dual homed and is functioning perfectly.  My concern is for security.  I tend to believe that access to the server could be compromised the longer it sits open to the internet and relatively unprotected.

Our company recently implemented a new Kerio WinRoute firewall on one of our servers.  We have been successful in routing our website traffic through the firewall.  All users are accessing the internet via this software/hardware combination.

For simplicity's sake, the two IP sets are as follows:

Exchange Internal:
Exchange External:

Firewall Internal:
Firewall External:

My thinking is that Exchange internal gateway should be changed to and the external NIC removed.  How is traffic to this server rerouted through the firewall's external NIC (, then?  Does my ISP have to get involved here and change some DNS settings somewhere?

I think I can handle opening and closing the necessary ports on the firewall (443, 25, etc.), so that shouldn't be too much of an issue...I just want to make sure I have the IP settings in my head correctly before I start making changes.  My goal is minimal downtime for email services.

Question by:Linguinut
    LVL 4

    Accepted Solution

    You are correct.
    Simply remove the ext nic from Exchange box, and set int nic just as you would any other machine on the internal network.
    Then, in your firewall obviously allow the ports back and forth, but the trick is to setup NAT...
    I am not familiar with Kerio, but i found this:

    Basically you need a portmaping for each port you want to open.
    So, for SMTP:

    Protocol: TCP
    Listen IP:
    Listen Port: 25
    Destination IP:
    Destination Port: 25

    Do the same for 443, and any other ports you want open and you should be good to go.

    LVL 51

    Assisted Solution

    by:Keith Alabaster
    If you move your exchange serverto the inside of the firewall you will either need to:

    Change the A record that is associated with your MX record to point to the ip address on the outside of your firewall (if it is, then the A record associated with mail-in will need to be changed) and then you forward the traffic accordingly on the firewall OR  

    Put a static NAT on the firewall that translates to the address on the network where you have put the external Exchange server.

    If you are using owa/oma on the external Exchange box then those ports need forwarding as well.
    LVL 1

    Author Comment

    Thanks a ton!  Sounds simple enough.  I think the owa/oma may give me a little trouble since we are also hosting our website.  I'll need to listen for something different than simply port 80/443.  
    LVL 1

    Author Comment

    Uberpoop...I apologize...I totally overlooked your entry (didn't even see it), so I awarded the points to keith_alabaster.  I have asked to have these points split between both of you.  Sorry for the oversight.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now