Solved

can the hub transport role and client access server in exchange 2007 be placed in a dmz?

Posted on 2008-10-08
2
1,249 Views
Last Modified: 2013-12-12
I am deploying exchange 2007 and do not have enough hardware to use Microsoft best practices with an edge transport server in a workgroup in a dmz. The deployment plan is to have the  hub transport and client access server on a seperate server, and the mailbox servers will be in a CCR cluster with no other roles on them. Windows server 2003 R2 64bit will be used as the os.
Microsoft does not support the client access server role in a dmz. It seems to be poor security practice to have the client access server in a dmz, as the amount of ports that need to be open create a security risk between the intranet and internal LAN. Many articles recommend a reverse proxy with ISA server if you are going to place the CAS and hub transport in a dmz. The company has ironport boxes which act as smtp gateways, along with firewalls that have application layer scanning and sophisticated packet intrusion detection capabilities Is it acceptable to place the hub transport role and client access role on the same server behind the corporate firewall? In this case we are depending on the security of the ironport boxes to protect the hub and client access roles.

What is the recommended solution in this case?


thanks
0
Comment
Question by:bignewf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
icky2000 earned 125 total points
ID: 22674189
The CA role and the HT role are separate issues from a security standpoint because they are handling different traffic and protocols, regardless of whether they are on the same box or not. It isn't uncommon to eliminate the Edge role if you have some other email-specific security system on your network (like Ironport). Your MX records point to Ironport which handles antispam/antivirus and therefore protects the HT server. You should not allow direct connections from the internet to your HT. Only allow connections through from Ironport.

As for the CA role, the configuration you've discussed will be the recommended solution to place the CA server inside the firewall (even though separating it from the HT is preferred). Yes, you could further improve security with an ISA solution but it is very common to not have ISA and publish the CA protocols direct to the internet.

You won't be the first to have such a configuration - seems reasonable.
0
 
LVL 15

Author Closing Comment

by:bignewf
ID: 31504452

Thank you for your answer. Since all mail flow will go throught the ironport appliances, and the mx records will point to these boxes, the hub roles are  not directly exposed to the internet.  Since best practices with an Edge transport cannot be deployed, this is the path I will take.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In-place Upgrading Dirsync to Azure AD Connect
Viewers will learn how to use the Hootsuite Dashboard.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question