I have and Exchange Server placed in my DMZ that is also a DC for my domain. Demoting it to member server is not supported by Microsoft (http://support.microsoft.com/kb/822179
) so I have to deal with AD replication through my FW.
I have followed this Microsoft document :
that although written for Windows 2000 is valid for Windows 2003.
I have followed the (theoretically) most secure approach of encapsulating traffic between DMZ and Internal DCs through IPSec.
My question is this :
Which is the difference between doing this, most secure solution, and just full opening traffic between DMZ DC and Internal DCs (first option in the document) ?.
I realize that obviously, there are far less involved ports that I have to open in my firewall between servers (just IP 50 , 51 and udp 500), but anyway what I am doing is to encapsulate ALL traffic between DMZ DC and the rest of internal DCs, so if someone hacks my Exchange Server, he/she will have anyhow open access to my internal DCs through the IPSec channel (with the other option she/he will have just direct access through the "hole" in my FW).
I think I am missing something here ...