Put my Exchange 2007 in a DMZ


I'd like to know what you think about put an exchange server in a DMZ.  I have read that putting Exchange in a DMZ is one of the most hotly debated subjects in the Exchange community.  Nowadays, my exchange works perfectly in my internal network and I use ISA Server to protect it.  What do you suggest about it?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Don't....there is no need to place a Exchange server in the DMZ...the only thing you would be doing is adding a complex setup with NO security benefit.
Satya PathakLead Technical ConsultantCommented:
Exchange should not be in a DMZ there is nothing to debate here,

if you put it in your dmz you will have so many ports to open that it won't  be a DMZ anymore.

moreover with ISA in place a DMZ is a complete loss of money, you have everything to protect your exchange server. just keep it where it is
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!


>> my exchange works perfectly in my internal network and I use ISA Server to protect it

For a Mailbox, Hub Transport or Client Access Server, the Internal Network is where it should be. Placing any Exchange Server in the DMZ will make your firewall rules look like swiss cheese - security holes everywhere.

If you want perimeter protection, the Exchange 2007/2010 Edge Transport role is the only type of Exchange machine designed to be placed in the DMZ. It is not directly connected with Active Directory or Exchange; there are mechanisms to sync the two, so the security issues are minimised.

I wrote an article here at EE with more information on Exchange Servers and DMZs: http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Why-you-shouldn't-put-an-Exchange-Server-in-the-DMZ.html.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
anovaesAuthor Commented:
I think I got a little bit confused because I have found many articles about this subject and I could see that SMTP Servers are located in DMZ.  Now I'm convinced that Exchange Server should be in my internal network.  Now, I will just create a DMZ to put my external DNS.  Thanks a lot.
glad we were able to clarify it
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.