Solved

can the hub transport role and client access server in exchange 2007 be placed in a dmz?

Posted on 2008-10-08
2
1,247 Views
Last Modified: 2013-12-12
I am deploying exchange 2007 and do not have enough hardware to use Microsoft best practices with an edge transport server in a workgroup in a dmz. The deployment plan is to have the  hub transport and client access server on a seperate server, and the mailbox servers will be in a CCR cluster with no other roles on them. Windows server 2003 R2 64bit will be used as the os.
Microsoft does not support the client access server role in a dmz. It seems to be poor security practice to have the client access server in a dmz, as the amount of ports that need to be open create a security risk between the intranet and internal LAN. Many articles recommend a reverse proxy with ISA server if you are going to place the CAS and hub transport in a dmz. The company has ironport boxes which act as smtp gateways, along with firewalls that have application layer scanning and sophisticated packet intrusion detection capabilities Is it acceptable to place the hub transport role and client access role on the same server behind the corporate firewall? In this case we are depending on the security of the ironport boxes to protect the hub and client access roles.

What is the recommended solution in this case?


thanks
0
Comment
Question by:bignewf
2 Comments
 
LVL 7

Accepted Solution

by:
icky2000 earned 125 total points
ID: 22674189
The CA role and the HT role are separate issues from a security standpoint because they are handling different traffic and protocols, regardless of whether they are on the same box or not. It isn't uncommon to eliminate the Edge role if you have some other email-specific security system on your network (like Ironport). Your MX records point to Ironport which handles antispam/antivirus and therefore protects the HT server. You should not allow direct connections from the internet to your HT. Only allow connections through from Ironport.

As for the CA role, the configuration you've discussed will be the recommended solution to place the CA server inside the firewall (even though separating it from the HT is preferred). Yes, you could further improve security with an ISA solution but it is very common to not have ISA and publish the CA protocols direct to the internet.

You won't be the first to have such a configuration - seems reasonable.
0
 
LVL 15

Author Closing Comment

by:bignewf
ID: 31504452

Thank you for your answer. Since all mail flow will go throught the ironport appliances, and the mx records will point to these boxes, the hub roles are  not directly exposed to the internet.  Since best practices with an Edge transport cannot be deployed, this is the path I will take.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
This video demonstrates how to use each tool, their shortcuts, where and when to use them, and how to use the keyboard to improve workflow.
This video discusses moving either the default database or any database to a new volume.

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now