?
Solved

Exchange 2003 Network Design Question

Posted on 2006-07-19
10
Medium Priority
?
297 Views
Last Modified: 2010-03-06
We are currently planning a Groupwise to Exchange conversion (I know---why go to Exchange, but we were told we had to).  My task is to come up
with the most secure, yet functional implementation of the server layout / design.  We have a heavy use of OWA and about 1000+ accounts.  What
would be the best way to setup the design?  We are to use an appliance for the SPAM / AntiVirus as well.  I am stuck between Barracuda and Symantec's 8200 series.  I currently have though of 4 different layouts...

We have a Firewall - DMZ - Internal Network

1.  FW |  Appliance + Front End Servers | FW | Back End Servers and AD
           I put this in just so I could shoot it down.  I am not planning on this but maybe the experts think it is the best.
2.  FW |  Appliance + Apache on sun/linux | FW | Front End Servers, Back End Servers, and AD
           I am leaning towards this approach
3.  FW |  Appliance + ISA Server | FW | FES, BES and AD
           MS recommends the ISA server obviously but it seems overkill in my situation
4.  FW |  CipherTrust Appliance + CipherTrust proxy | FW | FES, BES, AD
           Cipher Trust supposedly has 2 appliances that can do the proxying and AntiVirus / AntiSpam (We are still researching)

Does anyone have any suggestions on what layout to use and what appliance to go with?  There really is not a budget.  I was told to make it work
in the most effective yet secure way :)
0
Comment
Question by:Addpcg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
10 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 17141090
You have to ask why go to Exchange from Groupwise? :)

Solution 1 is the best solution (IMHO). You want your FE servers in your DMZ, that is the whole point of the FE servers. You expose them instead of your mailbox server and you don't need to punch a hole through your firewall from the Internet to your internal network. Use your appliance to handle incoming and outgoing SMTP traffic (BTW - I recommend you look at Tumbleweed) and use the FE server for OWA and RPC over HTTP traffic.

JJ
0
 

Author Comment

by:Addpcg
ID: 17141129
By having the Front End Servers in the DMZ, do you not have to open a TON of ports including all the RPC ports, not just 443 and 25?  I am new to the Exchange world.  I supported Lotus Notes and Groupwise on the perimeter end by using postfix among other Internet Email solutions so this is
kind of new to me.
Thanks!
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 17141155
From the FE server to your BE and AD server, yes there are a number of ports that need to be open. From the Internet to the FE you only need to open 443 if you are just going to use them for OWA and RPC over HTTP. You will be using your appliance for SMTP traffic so the FE server won't need to send/receive SMTP to the Internet.

JJ
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:Addpcg
ID: 17141219
We are actually going to use the FE servers for OWA, OMA, and Public Folders but yes it should only be 443.  From a security standpoint is that more secure than having a linux / sun box proxying to the FE severs on the inside?  I am just a little leary of putting Exchange Servers in the DMZ (even though the only ports open to the outside is minimal).  That was my thought anyway so I am asking the experts.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 17141306
To be honest, I'm not a security expert so I can't really give an expert opinion on which method is more secure. Like you said though, the exposure would be minimal and any potential attack over port 443 would probably be sent by the Linux proxy to the FE server anyway.

JJ
0
 
LVL 104

Accepted Solution

by:
Sembee earned 1000 total points
ID: 17141679
For me, I would go with option three. I have deployed almost the same solution for a number of finance houses and it has got past their internal security people.

When it comes to introducing a proxy box, then that is where your skillset comes in. Are you comfortable with securing a proxy on Linux/Solaris?

Simon.
0
 

Author Comment

by:Addpcg
ID: 17141869
We have Apache "experts" in the company that has experience doing this so it should not be an issue.  We would just proxy all (i use that loosely) 443 requests inside the FW to the FE servers.  That way there isn't a plethera of "risks" with open ports and vulnerable OS's exploits in the DMZ.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17141880
The primary concern must be what skills you have - without the skills then your security is compromised, because you cannot recognise what the problem is.
Therefore if you have the skills in house - and will retain the skills (ie if someone was to leave they would be replaced) then go with what you can do.

Simon.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month9 days, 7 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question