DMZ for exchange and IIS how can I use them!!??

Posted on 2007-10-18
Last Modified: 2008-11-17
my network has main domain controller with 1 network card.

I have an ISA server with 3 network card.
exchange and IIS server both with 2 network card

what is the best configration to configer my exchange and IIS to configer them with DMZ, and what the benefit i will get it if i did so?

is tehre any things I need to care about when I configer DMZ?
Question by:al_ghamdi
    LVL 37

    Expert Comment


    having a server with both DMZ and LAN interfaces pretty much defeats the purpose of having a DMZ at all.

    the idea of DMZ is that not only is there a firewall between your server and the internet to protect the server against attacks, but the firewall is also between the server and you LAN, thus protecting your LAN against the DMZ server just in case the server is compromised.

    putting the DMZ servers direct to your lan takes away the second benefit.  If your dmz server is compromised, then your entire lan becomes open to attack.

    LVL 2

    Expert Comment

    You will want to connect your Exchange and IIS machine to the DMZ segment of the network ONLY. You can then allow certain administrative access from the LAN to the DMZ machines in the ISA server.  You'll also need to configure certain ports open from the DMZ to the DC on the LAN back through the ISA server for authentication, etc. Let me know if you need more detail on the ports and I will post.

    Author Comment

    can i have more information about that?

    meverest: you said :  If your dmz server is compromised, then your entire lan becomes open to attack.

    i need more details please.

    Also, bsmith80:
    can i have more details what are the best and high security i can confirget for my network?

    LVL 2

    Accepted Solution

    meverest: you said :  If your dmz server is compromised, then your entire lan becomes open to attack.

    If you directly connect your DMZ machines to the LAN with the other NIC, then it defeats the purpose of the DMZ. If the DMZ machine gets compromised, the attackers have a direct connection to the LAN via the other NIC. You really don't want to connect the 2nd NIC to the LAN.

    Ideally, you'll want to keep your backend Exchange mail server on the LAN, and have a front-end only Exchange box in the DMZ. The following link has lots of documentation dealing with how to set it all  up:

    If you have other questions, please let me know.
    LVL 37

    Assisted Solution

    an interesting example I saw a few years ago.  a client called comlaining their printers were going very slow.  it turned out that one of their developers opened his workstation to the internet to host his web site.  It got infected by a code red, which then immediately started searhing for other web servers on the network.  not only did it infect all the other developer desktops (which all has IIS running for their dev work) but since the HP printers also had a web server running for configuration and admin, the code red was effectively acting as a denial of service.

    A dual homed web server on both DMZ and LAN may as well be on the LAN with a port forwarding on the router, and so defeats the whole purpose of a DMZ entirely.

    Think, also, about a root-kit compromise.  If someone manages to install a rootkit on your web server, then the are free to roam your LAN looking for other exploits.  i.e. BAD IDEA! ;-)


    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now