Solved

Exposing exchange server to Internet

Posted on 2009-07-15
6
597 Views
Last Modified: 2012-06-27
Hi All, I am facing a bit of technical dilemma.

Until recently we had our Exchange servers (2003) communicating to the outside world via email gateway appliances sitting in the DMZ (The usual antivirus/antispam gateways of the likes of TrendMicro's IMSS, barracudas and Ironports).
Now we have decided to outsource the email gateway services of antispam and antivirus, to the like's of Messagelabs, Postini or Mimecast.

The concern is, do I still maintain the appliances to act as the frontend or I let the messagelabs directly send the mail to my exchange servers sitting on my internal network? I do have Cisco's ASA 5520 firewall at the perimeter though which I can utilise but is there some standard for such a design?

[Internal LAN]            [Firewall / DMZ]                            [Internet Cloud]
Exchange Servers ->  Cisco ASA 5520   -> Cisco Router 2800 -> Messagelabs/mimcast (Highest MX)

Please advise..
0
Comment
Question by:fahim
  • 2
  • 2
  • 2
6 Comments
 
LVL 12

Expert Comment

by:kevin_u
ID: 24866614
My suggestion would be to remove the appliance, and put access-lists in the ASA or the Router to limit the exposure of the windows server to known ports from known servers.  You should be able to get a list of trusted server IP's from you new provider.

0
 
LVL 7

Expert Comment

by:LANm0nk3y
ID: 24867007
I wouldn't remove the gateway and just allow the emails to come through from the gateway like you normally set it up, just have it as a passthrough less configuration changes?.    The other option is if you have two exchange servers (like OWA) have that act as the front end and place it in the DMZ.
If you're going to change the Access level to your internal lan, you're taking down some tiered structured network security.  There are different trust levels in each zones.  Generally 100% for internal, %50 for DMZ, and 0% for Internet.
0
 

Author Comment

by:fahim
ID: 24867610
Thanks Kevin. That's a good option as I'll get in touch with the service provdier to let me know all the trusted IPs.

LanMon, the issue which I might have by retaining my gateways is to keep paying the subscription amount and the AMC for hardware maintenance? I'll have to check this out from recurring cost perspective. I use ISA to publish OWA on DMZ, Can I use ISA 2006 to act as my email gateway too?
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 

Author Comment

by:fahim
ID: 24869792
OK..now let me take brand names here...to make my malady simpler.

We currently use 'Barracudas' for recieving mails as SMTP relays and TrendMicro's IMSS for sending. Baracudas doesn't have the capability to send.

Now, if I have to retain both and pay for their subscriptions, it would be a cost I need to justify. I am not sure why barracudas never built the capability to send emails along with recieving??!! :(
0
 
LVL 12

Assisted Solution

by:kevin_u
kevin_u earned 200 total points
ID: 24875223
My choice would be to elminate as much uneeded items as possible. Fewer items, fewer failure points.

The question becomes what is "needed".  When removing items, it is critical to provide the same level of protection that the item was providing.  Certainly limiting exporsure (access lists on your router) to your new trusted service provider is one way to do that.

Exchange can send emails directly, without need for an outgoing gateway.  (Unless you're not trusting your internal networks protections from getting an email sending virus).  You can also help protect this by using your new mail service as your outgoing gateway.   They almost  certainly provide this service as well.  Then you can let ISA (and possibly your routers) route your outgoing mail to the internet.

0
 
LVL 7

Accepted Solution

by:
LANm0nk3y earned 300 total points
ID: 24876078
Yes you can publish emails through ISA.  As far as I know, ISA 2006 is a packet filtering software much like cisco pix/asa.  You can set rules in there for just about anything you want.  Generally most gateway does not require subscriptions to run their hardware, it just won't protect you from any new threats.
It is true to eliminate as much as you could, but it also depends on your environment and the risk you are taking to eliminate a piece of hardware.  Then the infastructure change.  
Barracudas do have models that can send emails.  Do you know the model you have?  You can easily get rid of IMSS if you have barracuda.  You can even get rid of your Barracuda if you're ok with risk that the static NAT that you're going to set in your ASA to jump from public ip to internal network.  
You don't really need ISA 2006 if you have an ASA, unless you're proxying.  So we really have a lot of variables to play with.  
What I would do is look at the goal, and find the easiest way to accomplish this without breaking anything and/or making too many changes in the infastructure.  Then Look at what is not needed in that topology one piece at a time.  For example, sending to IMSS instead just send it to your outsourced mail server and have them scan the virus/spam.  This is a lot longer, but it'll probably give you a little piece of mind as well if something breaks because you've made so many changes to the infastructure.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
how to add IIS SMTP to handle application/Scanner relays into office 365.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now