Setup Exchange Server 2003 in DMZ
I want to setup an Exchange 2003 server (runnign on server 2008) within a DMZ network.
The purpose is that users can access the server from the internet via OWA, and internally via Outlook.
The Active Directory Controller is located within the internal network.
So I need to communicate from the internet to the DMZ for OWA, and from the DMZ to the internal network and vice versa for authentication and outlook communication.
How to set this up ?
The purpose is that users can access the server from the internet via OWA, and internally via Outlook.
The Active Directory Controller is located within the internal network.
So I need to communicate from the internet to the DMZ for OWA, and from the DMZ to the internal network and vice versa for authentication and outlook communication.
How to set this up ?
Sudhirchauhan3
Its a bad idea to keep your server in DMZ. Instead you should put ISA server is DMZ and let ISA server handle your external users.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the comments allready.
But I seem to be missing something here.
My DMZ (aldough it is called this way) is completly sealed from the external network (for now).
Wouldn't it be more dangerous to open the ports 80 & 433 directly to the internal network, als only to the DMZ network ? I use a static routing that maps the ports directly to my Exchange server.
If the server is compromized in the internal network or in the DMZ network (with only specified ports open)... what's the diffirance ?
Note: I haven't installed Exchange yet on the 2K8 box.... (but have it running on another server that runs 2K3)
All this is for test & learning purposes only, so none of this here will go directly into production.
Therefore this thread to find the safest way to accieve this.
In advance, thanks for your help
But I seem to be missing something here.
My DMZ (aldough it is called this way) is completly sealed from the external network (for now).
Wouldn't it be more dangerous to open the ports 80 & 433 directly to the internal network, als only to the DMZ network ? I use a static routing that maps the ports directly to my Exchange server.
If the server is compromized in the internal network or in the DMZ network (with only specified ports open)... what's the diffirance ?
Note: I haven't installed Exchange yet on the 2K8 box.... (but have it running on another server that runs 2K3)
All this is for test & learning purposes only, so none of this here will go directly into production.
Therefore this thread to find the safest way to accieve this.
In advance, thanks for your help
ISA server usually does not belongs to your active directory domain. They are stand alone machine so one thing you avoid is exposing your domain server to the world.
Imagine your DMZ server getting exposed and all active directory getting harvested for spamming later.
Imagine Exchange server getting compromised. From this compromised machine attacker can either kill or harvest your entire exchange org.
By putting ISA in Front:
1. Any Attackers who manage to break into ISA will not have any access to your domain.
2. You can implement two factor authentication.
I can think of these few but there are many more reasons...
Imagine your DMZ server getting exposed and all active directory getting harvested for spamming later.
Imagine Exchange server getting compromised. From this compromised machine attacker can either kill or harvest your entire exchange org.
By putting ISA in Front:
1. Any Attackers who manage to break into ISA will not have any access to your domain.
2. You can implement two factor authentication.
I can think of these few but there are many more reasons...
In the DMZ, you must still statically map crucial ports between the DMZ and the Internal network. These ports include the ones used for LDAP communication in Active Directory, DNS, Global Catalog ports and a whole host of others. By placing Exchange in the DMZ, you have to statically assign and open these critical ports to the LAN, so that Exchange can communicate with the domain controllers. A compromised machine in the DMZ could potentially use these ports to perform Active Directory lookups - without having to authenticate - and retrieve all the information in Active Directory or pull down your network.
If you are creating a test environment, then the test environment should fully replicate a production network, which you would set up for real. The firewall software you use has nothing to do with this simple matter. Whether you use ISA Server or anything else, all of the firewall implementations will essentially give you the same features with a DMZ and otherwise, and no matter which one you use, if you place Exchange in the wrong place, you will end up with a misconfigured, unreliable network.
By simply opening ports 80 and 443 direct to the Exchange Server in the LAN, you give yourself a much smaller attack surface. The HTTP and HTTPS ports are a lot less likely to be attacked by an attacker compared with the LDAP ports, and this will make your system a lot more secure.
-tigermatt
If you are creating a test environment, then the test environment should fully replicate a production network, which you would set up for real. The firewall software you use has nothing to do with this simple matter. Whether you use ISA Server or anything else, all of the firewall implementations will essentially give you the same features with a DMZ and otherwise, and no matter which one you use, if you place Exchange in the wrong place, you will end up with a misconfigured, unreliable network.
By simply opening ports 80 and 443 direct to the Exchange Server in the LAN, you give yourself a much smaller attack surface. The HTTP and HTTPS ports are a lot less likely to be attacked by an attacker compared with the LDAP ports, and this will make your system a lot more secure.
-tigermatt
Ah, I'm sorry I missed the evolution of this thread. Let me just say I couldn't agree more with tigermatt, it's definitely not something that should be tried lightly.
However, LDAP is not completely insecure and can be almost fully secured if you choose to employ kerberos.
What I disagre with is forwarding HTTP directly into your LAN for OWA access. OWA sould play over HTTPS, or shouldn't be installed at all. Having your domain logon credentials travelling over the internet completely unencrypted, is just asking for it.
What ticked me off on this subject and made me try it myself is that most IT Pros (including several official technotes from Microsoft) claim that this CANNOT be done, instead of SHOULDN'T be done. Still, probably the worst downside about this configuration is that you completely forfeit any kind of support from Microsoft. They won't even discuss the issue until the server is back inside your LAN.
Closing my tirade, I agree with Sudhirchauhan3, the best exchange deployment senario so far is:
Exchange 2007
Hub Transport, Client Access, Mailbox roles inside the LAN
Edge Server Role in the DMZ acting as SMTP relay / Antispam gateway
ISA Server in the DMZ publishing OWA, Outlook Anywhere
COMPLETE with SSL certificates
However, LDAP is not completely insecure and can be almost fully secured if you choose to employ kerberos.
What I disagre with is forwarding HTTP directly into your LAN for OWA access. OWA sould play over HTTPS, or shouldn't be installed at all. Having your domain logon credentials travelling over the internet completely unencrypted, is just asking for it.
What ticked me off on this subject and made me try it myself is that most IT Pros (including several official technotes from Microsoft) claim that this CANNOT be done, instead of SHOULDN'T be done. Still, probably the worst downside about this configuration is that you completely forfeit any kind of support from Microsoft. They won't even discuss the issue until the server is back inside your LAN.
Closing my tirade, I agree with Sudhirchauhan3, the best exchange deployment senario so far is:
Exchange 2007
Hub Transport, Client Access, Mailbox roles inside the LAN
Edge Server Role in the DMZ acting as SMTP relay / Antispam gateway
ISA Server in the DMZ publishing OWA, Outlook Anywhere
COMPLETE with SSL certificates
Microsoft Technet is one of the worst places for looking at if you want to get away from the idea of Exchange not going into the DMZ. Microsoft know it, and many people in high positions have done a lot to try to get the articles changed, but Technet just keeps on with the idea that Exchange in the DMZ is good. In fact, as has already been described, this is completely the opposite to the point which Microsoft should be putting forward.
With regards to forwarding the HTTP port for OWA, I would completely agree that SSL must be used for ultimate security of the Exchange Organization and Active Directory network. However, the reason I always recommend it is forwarded is because OWA can be configured to automatically redirect requests on HTTP through to the HTTPS site, meaning users don't have to type the https:// part before the webmail domain name.
-tigermatt
With regards to forwarding the HTTP port for OWA, I would completely agree that SSL must be used for ultimate security of the Exchange Organization and Active Directory network. However, the reason I always recommend it is forwarded is because OWA can be configured to automatically redirect requests on HTTP through to the HTTPS site, meaning users don't have to type the https:// part before the webmail domain name.
-tigermatt
ASKER
Offcourse the owa would go over https. The typing of https in stead of http isn't an issue here. (Alldough users can sometimes be lazy :) )
The only thing that worries me a bit is opening a port directly into my intranet...
Thats why I thought that opening it only to the DMZ was a bit safer.
Any comments on this ?
The only thing that worries me a bit is opening a port directly into my intranet...
Thats why I thought that opening it only to the DMZ was a bit safer.
Any comments on this ?
Opening the port into your LAN is the least of your worries. As I have already mentioned several times, if you open it into the DMZ, you will then be forced to open a wide array of ports between the DMZ and the LAN in order for Exchange to communicate with Active Directory correctly. These ports are a lot more critical than a single port for HTTPS, and if there were a potential exploit which an attacker could use, they could easily use the vast number of ports to wreak a lot more havoc on your network than they could through a single HTTPS port.
The DMZ is ideally suited to machines which can communicate between the LAN and the WAN on single and safe ports, such as HTTP ports. LDAP ports should never be opened into the DMZ at all.
-tigermatt
The DMZ is ideally suited to machines which can communicate between the LAN and the WAN on single and safe ports, such as HTTP ports. LDAP ports should never be opened into the DMZ at all.
-tigermatt
Well, I'm sure we'll all agree on this, it's better opening one port on the intranet (as long as SSL is employed), than opening more than 100 ports from the DMZ to the Intranet. See, RPC alone will need at least a range of 100 ports for MAPI connections, as you can read in my thread.
Exactly. Good summary of my above points wizzad :-)