Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

can the hub transport role and client access server in exchange 2007 be placed in a dmz?

Posted on 2008-10-08
2
1,248 Views
Last Modified: 2013-12-12
I am deploying exchange 2007 and do not have enough hardware to use Microsoft best practices with an edge transport server in a workgroup in a dmz. The deployment plan is to have the  hub transport and client access server on a seperate server, and the mailbox servers will be in a CCR cluster with no other roles on them. Windows server 2003 R2 64bit will be used as the os.
Microsoft does not support the client access server role in a dmz. It seems to be poor security practice to have the client access server in a dmz, as the amount of ports that need to be open create a security risk between the intranet and internal LAN. Many articles recommend a reverse proxy with ISA server if you are going to place the CAS and hub transport in a dmz. The company has ironport boxes which act as smtp gateways, along with firewalls that have application layer scanning and sophisticated packet intrusion detection capabilities Is it acceptable to place the hub transport role and client access role on the same server behind the corporate firewall? In this case we are depending on the security of the ironport boxes to protect the hub and client access roles.

What is the recommended solution in this case?


thanks
0
Comment
Question by:bignewf
2 Comments
 
LVL 7

Accepted Solution

by:
icky2000 earned 125 total points
ID: 22674189
The CA role and the HT role are separate issues from a security standpoint because they are handling different traffic and protocols, regardless of whether they are on the same box or not. It isn't uncommon to eliminate the Edge role if you have some other email-specific security system on your network (like Ironport). Your MX records point to Ironport which handles antispam/antivirus and therefore protects the HT server. You should not allow direct connections from the internet to your HT. Only allow connections through from Ironport.

As for the CA role, the configuration you've discussed will be the recommended solution to place the CA server inside the firewall (even though separating it from the HT is preferred). Yes, you could further improve security with an ISA solution but it is very common to not have ISA and publish the CA protocols direct to the internet.

You won't be the first to have such a configuration - seems reasonable.
0
 
LVL 15

Author Closing Comment

by:bignewf
ID: 31504452

Thank you for your answer. Since all mail flow will go throught the ironport appliances, and the mx records will point to these boxes, the hub roles are  not directly exposed to the internet.  Since best practices with an Edge transport cannot be deployed, this is the path I will take.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question