[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How do I relocate an Exchange 2003 server behind a Kerio WinRoute Firewall?

Posted on 2006-05-22
5
Medium Priority
?
418 Views
Last Modified: 2013-11-16
My Exchange server is currently sitting outside our firewall.  It is dual homed and is functioning perfectly.  My concern is for security.  I tend to believe that access to the server could be compromised the longer it sits open to the internet and relatively unprotected.

Our company recently implemented a new Kerio WinRoute firewall on one of our servers.  We have been successful in routing our website traffic through the firewall.  All users are accessing the internet via this software/hardware combination.

For simplicity's sake, the two IP sets are as follows:

Exchange Internal:  2.2.2.1
Exchange External: 1.1.1.1

Firewall Internal: 2.2.2.2
Firewall External: 1.1.1.2

My thinking is that Exchange internal gateway should be changed to 2.2.2.2 and the external NIC removed.  How is traffic to this server rerouted through the firewall's external NIC (1.1.1.2), then?  Does my ISP have to get involved here and change some DNS settings somewhere?

I think I can handle opening and closing the necessary ports on the firewall (443, 25, etc.), so that shouldn't be too much of an issue...I just want to make sure I have the IP settings in my head correctly before I start making changes.  My goal is minimal downtime for email services.

Thanks!!
Ling
0
Comment
Question by:Linguinut
  • 2
4 Comments
 
LVL 4

Accepted Solution

by:
uberpoop earned 500 total points
ID: 16739548
Ling,
You are correct.
Simply remove the ext nic from Exchange box, and set int nic just as you would any other machine on the internal network.
Then, in your firewall obviously allow the ports back and forth, but the trick is to setup NAT...
I am not familiar with Kerio, but i found this: http://www.kerio.com/manual/wrp/en/150.htm

Basically you need a portmaping for each port you want to open.
So, for SMTP:

Protocol: TCP
Listen IP: 1.1.1.1
Listen Port: 25
Destination IP: 2.2.2.1
Destination Port: 25

Do the same for 443, and any other ports you want open and you should be good to go.

0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 500 total points
ID: 16740112
If you move your exchange serverto the inside of the firewall you will either need to:

Change the A record that is associated with your MX record to point to the ip address on the outside of your firewall (if it is mail-in.you.com, then the A record associated with mail-in will need to be changed) and then you forward the traffic accordingly on the firewall OR  

Put a static NAT on the firewall that translates 1.1.1.1 to the address on the 2.2.2.0 network where you have put the external Exchange server.

If you are using owa/oma on the external Exchange box then those ports need forwarding as well.
0
 
LVL 1

Author Comment

by:Linguinut
ID: 16741576
Thanks a ton!  Sounds simple enough.  I think the owa/oma may give me a little trouble since we are also hosting our website.  I'll need to listen for something different than simply port 80/443.  
0
 
LVL 1

Author Comment

by:Linguinut
ID: 16741733
Uberpoop...I apologize...I totally overlooked your entry (didn't even see it), so I awarded the points to keith_alabaster.  I have asked to have these points split between both of you.  Sorry for the oversight.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 18 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question