questions1979
asked on
If place the Exchange 2007 on DMZ, how to make it communication with the AD?
Hi all,
I am a bit confused on the best deploy of the Exchange Server 2007 SP1.
Since my basic knowledge of AD ...
Let me said my environment and my story here.
I am now deploy a test environment for the Trail Exchange Server 2007 SP1 for testing ....
My company have a SonicWALL firewall, our LAN are using IP 192.168.18.x/24
And the AD Server is on the same network of the LAN
The Exchange now are on the same LAN too, mean it is on the 192.168.18.x/24 and I am using the port forward to let internet can access this server ......
Then now I want to try rebuild from start, and place the Exchange to the DMZ by IP 172.16.8.x/24
And the firewall setting the DMZ zone can not access the LAN Zone.
Then the problems here, how the Exchange can join the LAN's AD Domian then installing?
I need open what port/services?
Whatever this case, by Microsoft's best way, one Edge Server on the DMZ, and other role on the LAN, it is same like above, then how to let the DMZ Edge Server can communication with the LAN's AD Server?
Thank you of your time and help.
I am a bit confused on the best deploy of the Exchange Server 2007 SP1.
Since my basic knowledge of AD ...
Let me said my environment and my story here.
I am now deploy a test environment for the Trail Exchange Server 2007 SP1 for testing ....
My company have a SonicWALL firewall, our LAN are using IP 192.168.18.x/24
And the AD Server is on the same network of the LAN
The Exchange now are on the same LAN too, mean it is on the 192.168.18.x/24 and I am using the port forward to let internet can access this server ......
Then now I want to try rebuild from start, and place the Exchange to the DMZ by IP 172.16.8.x/24
And the firewall setting the DMZ zone can not access the LAN Zone.
Then the problems here, how the Exchange can join the LAN's AD Domian then installing?
I need open what port/services?
Whatever this case, by Microsoft's best way, one Edge Server on the DMZ, and other role on the LAN, it is same like above, then how to let the DMZ Edge Server can communication with the LAN's AD Server?
Thank you of your time and help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Major Point - Edge Server does not talk to AD at all, it is the Hub Transport Role that talks to AD and inturn passes ADAM updates to Edge via Edge Subscritpion
ASKER
Hi all,
First, thank you of the fast response.
If I am no Edge Server, the post still that I much open are still same?
Since now I am on the testing cycle, so the network of the AD server is new and not the production environment. So I am not need worry the security on this test environment.
Just want to understand more how it work and try to do the deploy best of best after finished all the testing then place the Exchange on the Production Environment ...
Actually, my company just enough money but only one server, so the Edge Server Role I am thinking can not deploy if decided buy it.
Do place the Exchange Server 2007 behind the firewall in the LAN zone will my only way? I am a bit worry if it cracked, it can access the LAN zone's resource ....
Or the best is I am make two forest, both not trust both is best way to go on one server and place it behind the firewall in LAN?
Thank you of your time and kindly response.
First, thank you of the fast response.
If I am no Edge Server, the post still that I much open are still same?
Since now I am on the testing cycle, so the network of the AD server is new and not the production environment. So I am not need worry the security on this test environment.
Just want to understand more how it work and try to do the deploy best of best after finished all the testing then place the Exchange on the Production Environment ...
Actually, my company just enough money but only one server, so the Edge Server Role I am thinking can not deploy if decided buy it.
Do place the Exchange Server 2007 behind the firewall in the LAN zone will my only way? I am a bit worry if it cracked, it can access the LAN zone's resource ....
Or the best is I am make two forest, both not trust both is best way to go on one server and place it behind the firewall in LAN?
Thank you of your time and kindly response.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
As per your response you have budget for only one server. So multiple forests would also be possible as it would require additional resources :-) !!
Ok, you have 1 server, you can have all your MailBox, Hub transport and CAS on the same server (watch out on load and mailboxes) and well open up ports on Firewall for necessary routing. This is also a solution though not recommended. Make sure this server is in LAN and not in DMZ.
Also, you can choose a smart host (ISP) for external mail routing. This way you reduce some chances of attack further and improve the availability.
Note: U can't have Edge on this server, but Hub will take care of lot of mail routing and ASpam capabilities.
Well, for production I would never recommend this solution though.
Hope this helps
Nitin
As per your response you have budget for only one server. So multiple forests would also be possible as it would require additional resources :-) !!
Ok, you have 1 server, you can have all your MailBox, Hub transport and CAS on the same server (watch out on load and mailboxes) and well open up ports on Firewall for necessary routing. This is also a solution though not recommended. Make sure this server is in LAN and not in DMZ.
Also, you can choose a smart host (ISP) for external mail routing. This way you reduce some chances of attack further and improve the availability.
Note: U can't have Edge on this server, but Hub will take care of lot of mail routing and ASpam capabilities.
Well, for production I would never recommend this solution though.
Hope this helps
Nitin
ASKER
gupnit,
Ok, you have 1 server, you can have all your MailBox, Hub transport andCAS on the same server (watch out on load and mailboxes) and well openup ports on Firewall for necessary routing. This is also a solutionthough not recommended. Make sure this server is in LAN and not in DMZ.
The above what you said is I am doing in my company right now on the testing environment, and plan move on to it later, it is why I am thinking place it to the DMZ like other non-Microsoft Brand Mail Server that can with only one server ....
But now view you and other's kindly answer, know that place in DMZ is not support ...
Then, I am a bit confused of your mean "ISP Smart Host" external mail routing ...
My ISP have give me a SMTP (corpmail.MYISP.com) and not need any user name or password etc.
And on my testing environment, I am setting the SMTP using this ISP as SMTP server in Exchange for "Send" E-Mail to outside, (Do it is your mean of the Smart Host???) The Mail come inside still using the Exchange and Hub Role setting it accept anonymouse mail ....
And please note that, I using multi-forest is becasue the AD Domain using on our LAN are doing Secert Design Artwork, Engineering Art etc, so I am not mind place more time to management two different forest, since on my plan, I thiniing, if one day the Exchange get cracked, the craker taked the user account, then if the Exchange on the same LAN, it can access all secert files and resource that give by the cracked user.So on my plan, two forest, force user not using same password on the Exchange .... then the Exchange can't access the resource anymore.....
How about all experts thinking on above setting on my environment, I think it is all I can do now on those limit resource ...
Thank you of all experts very much of your time. Adding point to 250
Ok, you have 1 server, you can have all your MailBox, Hub transport andCAS on the same server (watch out on load and mailboxes) and well openup ports on Firewall for necessary routing. This is also a solutionthough not recommended. Make sure this server is in LAN and not in DMZ.
The above what you said is I am doing in my company right now on the testing environment, and plan move on to it later, it is why I am thinking place it to the DMZ like other non-Microsoft Brand Mail Server that can with only one server ....
But now view you and other's kindly answer, know that place in DMZ is not support ...
Then, I am a bit confused of your mean "ISP Smart Host" external mail routing ...
My ISP have give me a SMTP (corpmail.MYISP.com) and not need any user name or password etc.
And on my testing environment, I am setting the SMTP using this ISP as SMTP server in Exchange for "Send" E-Mail to outside, (Do it is your mean of the Smart Host???) The Mail come inside still using the Exchange and Hub Role setting it accept anonymouse mail ....
And please note that, I using multi-forest is becasue the AD Domain using on our LAN are doing Secert Design Artwork, Engineering Art etc, so I am not mind place more time to management two different forest, since on my plan, I thiniing, if one day the Exchange get cracked, the craker taked the user account, then if the Exchange on the same LAN, it can access all secert files and resource that give by the cracked user.So on my plan, two forest, force user not using same password on the Exchange .... then the Exchange can't access the resource anymore.....
How about all experts thinking on above setting on my environment, I think it is all I can do now on those limit resource ...
Thank you of all experts very much of your time. Adding point to 250
Great you are on track in terms of smart host.
Well quite close to a resource forest scenario. Only issue here is that it will increase your Administrative burden.
Well quite close to a resource forest scenario. Only issue here is that it will increase your Administrative burden.
http://technet.microsoft.com/en-us/library/bb124701(EXCHG.80).aspx
http://www.msexchange.org/tutorials/Introduction-Exchange-2007-Server-Roles.html
http://www.msexchange.org/tutorials/Securing-Exchange-2007-Edge-Transport-Servers.html
http://articles.techrepublic.com.com/5100-10878_11-6187455.html
Hope this should suffice to set you up...
Regards
Nitin