Solved

can the hub transport role and client access server in exchange 2007 be placed in a dmz?

Posted on 2008-10-08
2
1,245 Views
Last Modified: 2013-12-12
I am deploying exchange 2007 and do not have enough hardware to use Microsoft best practices with an edge transport server in a workgroup in a dmz. The deployment plan is to have the  hub transport and client access server on a seperate server, and the mailbox servers will be in a CCR cluster with no other roles on them. Windows server 2003 R2 64bit will be used as the os.
Microsoft does not support the client access server role in a dmz. It seems to be poor security practice to have the client access server in a dmz, as the amount of ports that need to be open create a security risk between the intranet and internal LAN. Many articles recommend a reverse proxy with ISA server if you are going to place the CAS and hub transport in a dmz. The company has ironport boxes which act as smtp gateways, along with firewalls that have application layer scanning and sophisticated packet intrusion detection capabilities Is it acceptable to place the hub transport role and client access role on the same server behind the corporate firewall? In this case we are depending on the security of the ironport boxes to protect the hub and client access roles.

What is the recommended solution in this case?


thanks
0
Comment
Question by:bignewf
2 Comments
 
LVL 7

Accepted Solution

by:
icky2000 earned 125 total points
ID: 22674189
The CA role and the HT role are separate issues from a security standpoint because they are handling different traffic and protocols, regardless of whether they are on the same box or not. It isn't uncommon to eliminate the Edge role if you have some other email-specific security system on your network (like Ironport). Your MX records point to Ironport which handles antispam/antivirus and therefore protects the HT server. You should not allow direct connections from the internet to your HT. Only allow connections through from Ironport.

As for the CA role, the configuration you've discussed will be the recommended solution to place the CA server inside the firewall (even though separating it from the HT is preferred). Yes, you could further improve security with an ISA solution but it is very common to not have ISA and publish the CA protocols direct to the internet.

You won't be the first to have such a configuration - seems reasonable.
0
 
LVL 15

Author Closing Comment

by:bignewf
ID: 31504452

Thank you for your answer. Since all mail flow will go throught the ironport appliances, and the mx records will point to these boxes, the hub roles are  not directly exposed to the internet.  Since best practices with an Edge transport cannot be deployed, this is the path I will take.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
The viewer will learn how to set up a document for the web and print and the recommended PPI for printing.
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now