[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

can the hub transport role and client access server in exchange 2007 be placed in a dmz?

Posted on 2008-10-08
2
Medium Priority
?
1,254 Views
Last Modified: 2013-12-12
I am deploying exchange 2007 and do not have enough hardware to use Microsoft best practices with an edge transport server in a workgroup in a dmz. The deployment plan is to have the  hub transport and client access server on a seperate server, and the mailbox servers will be in a CCR cluster with no other roles on them. Windows server 2003 R2 64bit will be used as the os.
Microsoft does not support the client access server role in a dmz. It seems to be poor security practice to have the client access server in a dmz, as the amount of ports that need to be open create a security risk between the intranet and internal LAN. Many articles recommend a reverse proxy with ISA server if you are going to place the CAS and hub transport in a dmz. The company has ironport boxes which act as smtp gateways, along with firewalls that have application layer scanning and sophisticated packet intrusion detection capabilities Is it acceptable to place the hub transport role and client access role on the same server behind the corporate firewall? In this case we are depending on the security of the ironport boxes to protect the hub and client access roles.

What is the recommended solution in this case?


thanks
0
Comment
Question by:bignewf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
icky2000 earned 500 total points
ID: 22674189
The CA role and the HT role are separate issues from a security standpoint because they are handling different traffic and protocols, regardless of whether they are on the same box or not. It isn't uncommon to eliminate the Edge role if you have some other email-specific security system on your network (like Ironport). Your MX records point to Ironport which handles antispam/antivirus and therefore protects the HT server. You should not allow direct connections from the internet to your HT. Only allow connections through from Ironport.

As for the CA role, the configuration you've discussed will be the recommended solution to place the CA server inside the firewall (even though separating it from the HT is preferred). Yes, you could further improve security with an ISA solution but it is very common to not have ISA and publish the CA protocols direct to the internet.

You won't be the first to have such a configuration - seems reasonable.
0
 
LVL 15

Author Closing Comment

by:bignewf
ID: 31504452

Thank you for your answer. Since all mail flow will go throught the ironport appliances, and the mx records will point to these boxes, the hub roles are  not directly exposed to the internet.  Since best practices with an Edge transport cannot be deployed, this is the path I will take.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question