Solved

2 Exchange Servers Possible?

Posted on 2006-06-23
11
266 Views
Last Modified: 2010-04-19
I have a client who is interested in getting Small Business Server running, however, because of some security breaches in the past, they would like to put an Exchange server in the DMZ to do mail exchanging with the internet, then have the SBS running on the LAN.  Can you do this with SBS ???
0
Comment
Question by:CoastalSlns
  • 6
  • 5
11 Comments
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 16968585
You can, but it would require separate, full licensing... which would mean Server 2003, Exchange 2003 and CALs for all of that.

Can you be more specific about what kind of "security breach" you are trying to protect against?  Because SBS is rather unique in that you wouldn't normally run all of the servers & roles it has on one machine... but if you deploy and configure according to best practices then it runs extremely well and secure.  

There's also a new paper that's just been released on SBS Security:  
http://www.microsoft.com/downloads/details.aspx?familyid=ccf92588-f367-4d25-8501-b4f680280f71&displaylang=en

Jeff
TechSoEasy

0
 

Author Comment

by:CoastalSlns
ID: 16969961
Well, this customer has been hacked into, law suits, etc, and they are not willing to open their lan servers and PCs because of this.

I will read the article and make suggestions.

Any tips on hooking up an exchange server in the DMZ?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16972153
But mail only goes through port 25... and that's not at all the greatest exposure to your LAN.  So putting the Exchange server in a DMZ does not really accomplish what you are trying to do.

You would be much better off just deploying SBS PREMIUM with ISA Server.  If they only bought STANDARD, the upgrade is just the difference in price... $900.00 retail.

ISA Server is the absolute best way to keep them secure with an SBS... that and following the recommendations in the paper I linked above.

Because if you say, "not willing to open their lan servers and PCs because of this" are you inferring that you will not give them Internet access at all?

Jeff
TechSoEasy
0
 

Author Comment

by:CoastalSlns
ID: 16972418
Mail only goes through port 25, but OWA goes through port 80 and 443.  I am not saying that MS Products are not secure, but bugs have been found and exploited in the past.  I think having an exchange server on the DMZ to do mail exchanging keep them less exposed.

No one in their company has internet access that does not need it, and even there, it is highly controlled.  They have some web services that are hosted on the DMZ and only certain ports from those certain IPs on the DMZ are open throught he firewall.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16973508
OWA would not be served off of your Exchange server unless, again, you had full licenses.  If you are planning on doing this, I would suggest that you stay away from SBS.  You will have many more problems than it's worth, in my opinion if you are planning on a deployment such as this.

Please review this article about whether SBS is right for you:  http://sbsurl.com/isitright

FYI, OWA does not use port 80, it only uses 443, which by definition is a secure port.  If you have even ONE person that is allowed outbound Internet access, then you essentially have the same problem as if you allow 5 or 10 people... the port will be open and it needs to be monitored.  Not providing workers with general Internet access will inhibit their ability to use the help functionality in Office 2003 and Office 2007.  These are hightly integrated with web access and become significantly more productive with access.  

There ARE ways to be secure without locking yourself up in the castle and throwing away the key... it just requires proper deployment, management and monitoring.  Something that SBS makes rather simple compared to standard server products.

The key is to use high security measures, that encourage worker productivity, instead of inhibiting it!

So in a direct answer to your question, you CAN configure a Front-end Exchange Server and then make SBS's a back-end server.  I will stand corrected about the licensing, however, if you get SBS R2 you don't need CALs for additional Exchange or SQL servers, but you will need the Windows Server and Exchange Server licenses.  Configuring SBS as a back-end server could render many of the wizards useless... and not being able to use the wizards generally will cause other services to break because of the dependency they all have on eachother.

Please read this post regarding that:  http:Q_21831460.html

So, because of the problems you may have with general configuration, I would recommend that you deploy standard Enterprise Servers instead of SBS.

Jeff
TechSoEasy

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:CoastalSlns
ID: 16974989
Thank you for your detailed response.  In reading the tech articles on ISA from Microsoft's page, Microsoft suggests running ISA with a server and with a front and back-end exchange server. Between ISA, the Firewall and 2 Exchange Servers, it seems overkill.  I've never used ISA, but it appears that configured in this situation, it is a glorified firewall.

BTW, I Spoke with Microsoft yesterday, and they informed me that if I were to run this config, while it is possible, it becomes price inhibitive.  I would need to purchase SBS 2003 and appropriate CALs, then Windows 2003 Server, Exchange 2003 Server and MORE Windows and Exchange cals because the SBS cals will not cover the Windows and Exchange cals separately.  So, like you said in your above most, it makes more sense to purchase separate Windows and Exchange cals because we will only need to purchase cals once.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16978102
The tech article you read regarding ISA does not apply to SBS.  ISA is integrated into SBS in a way that is much different that standard servers.  It's certainly NOT a glorified firewall... it permits or denies ALL network traffic based on a specific set of rules.  When you couple that with the newly available RADIUS configuration available with SBS 2003 R2, you have a perimitered network which is your best line of defense.

http://www.microsoft.com/isaserver/evaluation/overview/default.mspx

Whoever you spoke to at Microsoft did not realize that there is a change with SBS 2003 R2 licensing which makes it so you DON'T have to buy separate CALs for an additional Exchange or SQL server.  This is a quote from   http://www.microsoft.com/windowsserver2003/sbs/evaluation/faq/r2.mspx:

"Q. What are the expanded CAL rights in SBS 2003 R2?
 
A. Customers running SBS 2003 R2 can use their CALs to access additional servers running Windows Server 2003, Exchange Server 2003 and SQL Server 2005 Workgroup Edition on the SBS 2003 R2 network. See the licensing questions section for additional information on SBS 2003 R2 CALs."

Jeff
TechSoEasy
0
 

Author Comment

by:CoastalSlns
ID: 16978394
Hmmm, all that is interesting.

My only concern now is that if we were to install SBS 2003 Premium, and run ISA server, it would be running on the actual Root of the Active Directory, once again, exposing the network if an exploit is found.

Or am I missing something?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16978515
You're missing the fact that whatever solution you decide to deploy there could always be an issue if "an exploit is found".  

Plus SBS is specifically engineered to allow for things like having all of these items on a Domain Controller and is still secure as long as you follow the security guidelines in the first link I provided AND keep up to date with all security notices and updates.

As I mentioned already... the ONLY way to keep a network totally secure is to not connect it to the Internet at all and to block the ability for anything to be loaded to it from either CD or USB device.  Obviously this is unpractical, and therefore the right thing to do is plan a proper deployment and manage it well.  Too often, people think if they do just a few things (such as putting the Exchange Server in a DMZ) that they will be safe... but then they allow users stick a USB key drive in their workstation to supposedly just download a document, but unknowingly upload a trojan.  I'm not saying that this is what would happen in your case, but I am saying that I believe you or those that are directing the scope of this project are focusing rather narrowly on the situation.

Jeff
TechSoEasy
0
 

Author Comment

by:CoastalSlns
ID: 16979034
Points well taken.  Thank you for the time and comments you made.  I will take a look at the premium version and ISA and see how that looks for my client.  If they don't ilke the idea, we will run 2 exchange servers and maybe ISA as well.

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16980943
No problem...

One thing I've learned in the few years that I've been consulting...  It is a difficult but important skill to be able to listen to a client's requests and extract their true needs... while ignoring thier actual stipulations for specific solutions...so that you can deploy solutions that actually solve the problems they have...  and then explaining to them that this is why they hired you in the first place.  (yes, that's all one sentence!  :-)  )

Good Luck!

Jeff
TechSoEasy
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now