amrish_IT
asked on
How to configure HUB sever on DMZ?
I am implementing the Exchange 2007 server with CCR. I am using four servers, one for ADS (catalog server), second one common server for edge and Hub, third and four for Mailbox server on cluster (CCR). All these servers are on same local network.
I want to configure HUB server on DMZ. Should I need two NIC in HUB server one for local network and one for DMZ? If this is the case then what will be the DNS servers for DMZ NIC?
Can anyone explain how to configure all these servers on network, IPs, gateway and DNS setting of individual servers?
I want to configure HUB server on DMZ. Should I need two NIC in HUB server one for local network and one for DMZ? If this is the case then what will be the DNS servers for DMZ NIC?
Can anyone explain how to configure all these servers on network, IPs, gateway and DNS setting of individual servers?
Hi Amrish,
Can you explain the reason you want to place HUB in DMZ any specific reason. See you can achieve same results in LAN too....
To be able to better guide you, we would need exact scenario.
Hope this helps
Thanks
Nitin
Can you explain the reason you want to place HUB in DMZ any specific reason. See you can achieve same results in LAN too....
To be able to better guide you, we would need exact scenario.
Hope this helps
Thanks
Nitin
ASKER
Hi,
I have only four server right now, one for AD, two for Mailbox cluster and one for HUB , thats why i have to put HUB server in DMZ.
I have only four server right now, one for AD, two for Mailbox cluster and one for HUB , thats why i have to put HUB server in DMZ.
What about CAS role - where do you plan to place that - with your calculation i could not find that role sitting on AD server for sure and if you plan to merge CAS + HUB in DMZ (This isn't supported nor recommended).
Awaiting your response.
Awaiting your response.
ASKER
HUB and CAS role will be on same server. If i install edge server separatly then how it will communicate with HUB server because edge server is in DMZ with public IP.
If you are in shortage of servers - why not simply have hub role in your local LAN behind a firewall ??
Remember Hub (in local LAN of DMZ) will also have all those functionality (almost - all) as those of EDGE.
If you place Hub in the DMZ - you need to open port 135 (RPC)+ 389 (LDAP) + 25 (SMTP) + 53 (DNS) + 443 (SSL).
Now look at the ports used by EDGE.
* LDAP: Port 50389/TCP
* Secure LDAP: Port 50636/UDP
* SMTP: Port 25/TCP
* Optional: enable RDP: Port 3389/TCP
You basically are opening up all the ports required for Hub (if it is placed in DMZ) - so if your Hub is compromised - your AD / Exchange is compromised too. That is the reason no one recommends nor practices placing Hub in DMZ.
Oh and CAS ROLE IN DMZ IS NOT RECOMMENDED NOR SUPPORTED.
Remember Hub (in local LAN of DMZ) will also have all those functionality (almost - all) as those of EDGE.
If you place Hub in the DMZ - you need to open port 135 (RPC)+ 389 (LDAP) + 25 (SMTP) + 53 (DNS) + 443 (SSL).
Now look at the ports used by EDGE.
* LDAP: Port 50389/TCP
* Secure LDAP: Port 50636/UDP
* SMTP: Port 25/TCP
* Optional: enable RDP: Port 3389/TCP
You basically are opening up all the ports required for Hub (if it is placed in DMZ) - so if your Hub is compromised - your AD / Exchange is compromised too. That is the reason no one recommends nor practices placing Hub in DMZ.
Oh and CAS ROLE IN DMZ IS NOT RECOMMENDED NOR SUPPORTED.
If you want to read more about EDGE..
http://technet.microsoft.com/en-us/library/bb125154(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/cc526574.aspx
http://www.msexchange.org/tutorials/Securing-Exchange-2007-Edge-Transport-Servers.html
http://www.exchangelog.info/2007/05/ports-that-need-to-be-open-on-firewall.html
http://technet.microsoft.com/en-us/library/bb125154(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/cc526574.aspx
http://www.msexchange.org/tutorials/Securing-Exchange-2007-Edge-Transport-Servers.html
http://www.exchangelog.info/2007/05/ports-that-need-to-be-open-on-firewall.html
ASKER
can I add edge server later on??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Information provided by you is very helpful. thank you very much.
ASKER
thank you so much for your help
Glad to have been able to answer your queries.
God Bless.
Take Care
God Bless.
Take Care
Are you thinking of installing both on same box - technically, practically, theoretically this is not possible.
My suggestion would be to have 2 node A/P CCR Clusters + CAS & Hub Server + Edge Server (In DMZ)
Personally i believe Hub should not be placed in a DMZ.
MSFT says:
In this scenario, the Exchange 2007 Hub Transport server can be reached directly through the Internet. We don't recommend this topology because it increases security risks by exposing to the Internet the Exchange 2007 server and all roles installed on that server. We recommend that you implement a perimeter network-based SMTP gateway, such as the Edge Transport server, instead.