Swift
asked on
Exposing exchange server to Internet
Hi All, I am facing a bit of technical dilemma.
Until recently we had our Exchange servers (2003) communicating to the outside world via email gateway appliances sitting in the DMZ (The usual antivirus/antispam gateways of the likes of TrendMicro's IMSS, barracudas and Ironports).
Now we have decided to outsource the email gateway services of antispam and antivirus, to the like's of Messagelabs, Postini or Mimecast.
The concern is, do I still maintain the appliances to act as the frontend or I let the messagelabs directly send the mail to my exchange servers sitting on my internal network? I do have Cisco's ASA 5520 firewall at the perimeter though which I can utilise but is there some standard for such a design?
[Internal LAN] [Firewall / DMZ] [Internet Cloud]
Exchange Servers -> Cisco ASA 5520 -> Cisco Router 2800 -> Messagelabs/mimcast (Highest MX)
Please advise..
Until recently we had our Exchange servers (2003) communicating to the outside world via email gateway appliances sitting in the DMZ (The usual antivirus/antispam gateways of the likes of TrendMicro's IMSS, barracudas and Ironports).
Now we have decided to outsource the email gateway services of antispam and antivirus, to the like's of Messagelabs, Postini or Mimecast.
The concern is, do I still maintain the appliances to act as the frontend or I let the messagelabs directly send the mail to my exchange servers sitting on my internal network? I do have Cisco's ASA 5520 firewall at the perimeter though which I can utilise but is there some standard for such a design?
[Internal LAN] [Firewall / DMZ] [Internet Cloud]
Exchange Servers -> Cisco ASA 5520 -> Cisco Router 2800 -> Messagelabs/mimcast (Highest MX)
Please advise..
kevin_u
My suggestion would be to remove the appliance, and put access-lists in the ASA or the Router to limit the exposure of the windows server to known ports from known servers. You should be able to get a list of trusted server IP's from you new provider.
I wouldn't remove the gateway and just allow the emails to come through from the gateway like you normally set it up, just have it as a passthrough less configuration changes?. The other option is if you have two exchange servers (like OWA) have that act as the front end and place it in the DMZ.
If you're going to change the Access level to your internal lan, you're taking down some tiered structured network security. There are different trust levels in each zones. Generally 100% for internal, %50 for DMZ, and 0% for Internet.
If you're going to change the Access level to your internal lan, you're taking down some tiered structured network security. There are different trust levels in each zones. Generally 100% for internal, %50 for DMZ, and 0% for Internet.
ASKER
Thanks Kevin. That's a good option as I'll get in touch with the service provdier to let me know all the trusted IPs.
LanMon, the issue which I might have by retaining my gateways is to keep paying the subscription amount and the AMC for hardware maintenance? I'll have to check this out from recurring cost perspective. I use ISA to publish OWA on DMZ, Can I use ISA 2006 to act as my email gateway too?
LanMon, the issue which I might have by retaining my gateways is to keep paying the subscription amount and the AMC for hardware maintenance? I'll have to check this out from recurring cost perspective. I use ISA to publish OWA on DMZ, Can I use ISA 2006 to act as my email gateway too?
ASKER
OK..now let me take brand names here...to make my malady simpler.
We currently use 'Barracudas' for recieving mails as SMTP relays and TrendMicro's IMSS for sending. Baracudas doesn't have the capability to send.
Now, if I have to retain both and pay for their subscriptions, it would be a cost I need to justify. I am not sure why barracudas never built the capability to send emails along with recieving??!! :(
We currently use 'Barracudas' for recieving mails as SMTP relays and TrendMicro's IMSS for sending. Baracudas doesn't have the capability to send.
Now, if I have to retain both and pay for their subscriptions, it would be a cost I need to justify. I am not sure why barracudas never built the capability to send emails along with recieving??!! :(
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.