• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Exchange server 2k w/ OWA...behind or in front of firewall?

vi edit

vi edit

Elite Member
Super Moderator
I'm in a funky situation where I have a local office, as well as about 30 other remote sites that I take care of. The corporate office has a T1 running into it, and half of the remotes are on DSL, the other half are on dial up.

In an effort to control viruses, share data via the personal folders and calendars, as well as use the OWA function for remote users, Exchange seemed like a good fit. We're a microsoft house in this office because of the end user simplicity of things. I looked into other options, but the powers that be wanted to keep it fairly consistent to what we've been using.

That said, I've installed Exchange a couple times to play around with it, I've tinkered around with active directory and I'm pretty familar with the post install part of things. I've read the sybex MCSE book as well. The part that they don't tell you about is the actual network placement of the exchange server. Should I put it out on the DMZ port and then have the local office just use the 'net to connect to the box, or is it better to put it behind the firewall and then map the ports to it?

I've got a several different things that I've been kicking around as far as access goes -
-keep using outlook express (last thing I want to do)
-switch over to oulook 2000 or 2002 (I like the attachment blocking of Outlook '02 and XP...my users aren't the sharpest tools in the shed)
-switch everyone over to OWA (not very desireable because of limited functionality and clumbs to use)
-use outlook in local office, and set up all remotes on OWA (most preferable situation for me)

As for the virus protection, I want to put Trend Micro Virus Scan for Exchange server on the exchange box.

Thanks for your help, and if let me know if you need more info!
 
I`m no DMZ or firewall expert, but I personally would recommend having the Exchange Server behind the firewall with the appropriate ports forwarded.

This server just strictly does e-mail, right?

Yes, definitely get them off Outlook Express. I would migrate to Outlook 2000 or 2002 -- which one depends on attachments:

Outlook 2000 with the latest security patches and SR2, blocks a LOT of attachments as you know. Sadly, you have no control over it. Only 2002 has the ability to modify the registry to allow certain ones through. Since I recieve a lot of legimate attachments, 2000 has really pissed me off, because, unless you have the technical know how to setup another e-mail client and download the attachment that way, it's a royal PITA. For example, I was sent a valid Access database, and Outlook completely blocked it. Luckily I leave the mail on the server for a short period and I was able to retrieve it.

Stick with Outlook 2000/2002 and OWA and you should be fine.

Hope this helps!
 
To be completely honest, so long as Outlook '02 doesn't block .doc or .xls I'm HAPPY! All of the warnings, handslappings, precautions, and training in the world hasn't stopped the idiots I work with from clicking on attachments.

I swear there is some sort of subliminal message in the email subject that tells the weary to "Hey you! Open the attachment!". Firing people doesn't do any good when the president of the company is the worse attachment opening offender 🙁
 
Well, sounds like you need a server that is accessible from the Internet and from a private network. That is just about the definition of a DMZ. DMZs generally are a separate network protected by a firewall that DO have public IP addresses - this takes care of NAT problems.

Then you can setup different firewall rules one set for internet folks, another set for private network folks.

hope this helps, i can't be of much use on the server/OS side.
 
Yup spidey, that's what I was thinking. Needs to be accessable by both internal and external networks.

I was pretty sure that it had to be on the DMZ port and then have policies set up from there.
 
I run my exchange as follows

T1 -> CISCO Router -> Firewall -> NATTED Network

so my exchange is 192.168.1.10 while the outside network is x.x.x.10. Statically translated.

Only port 25 and 80 is open at the firewall.

Use to have pop but no one uses it so it's gone.

Since outlook web access uses IIS, u should patch it up before anything.. my standard w2k machine is

W2K Server/Advance
W2K SP2

Ghost Backup - in case you need to change something or re-deploy

Security tools - MS website to check for patches
Patches that needs to be install
Virus Scanners

then flows of applications

Make sure ur outside dns has mx record for the outside mail server IP if ur translating the network.


I actually use McAfee.. looking to switch soon, I heard of trendmicro but never use the product but seen lots of ads... good luck
 
vi_edit,

I like what everyone is suggesting here. It should work fine in your enviroment.

However, if you'd like to be completely secure and have 2 machine to deploy, I would do this.

1. Place the Exchange server on your Local network. No NAT, No Internet IP.
2. Place another Exchange server on your DMZ and use it as SMTP relay and OWA access. Point the database of that exchange server to your Internal Exchange server.
3. Secure access with firewall and access list to your internal exchange server.

I would highly recommend anti-virus scanning utilities on your mail server, not the computer. A good one that I have used is Norton corporate antivirus scanner for exchange. If you'd like to have content filtering, attatchment blocking, mail rules and all that goodies, try looking into www.gfi.com mailessentials.

Oh yeah, Dump Outlook Express. Exchange without outlook is a waste 🙂

err
 
LOL!

Three different replies, three different answers 🙂

- put in inside the firewall
- put it outside the firewall
- put one on each side(this would be expensive!) 🙂

 
hahahhaaha, that's design for ya vi_edit!

now make you a pro/con table for each option and make a decision already. Most definately run a virus scanner on all mail servers.

:wq!

 


<< LOL!

Three different replies, three different answers 🙂

- put in inside the firewall
- put it outside the firewall
- put one on each side(this would be expensive!) 🙂 >>


Tight budget? Go with my suggestion: Put behind the firewall and forward port 80 for OWA, 25, etc. 😀

As spidey said, write down the pro's and cons of each and the cost(s) associated.

Good luck and let us know what you decided and how it turned out! 🙂
 
First off, you can't install Exchange with Internet accessability, and have it secure. (Been on conf calls w/ MS, and their own Ops area doesn't like the way it works).

Here's the skinny:

Exchange Front Ends talk to Back Ends (where the data is). Front ends are specifically for load-balancing: They accept client requests, authenticate them to a DC, query the GC for the location of their mail file, and then forward the clients url directly to the back end server. The back end does all the same steps, but doesn't forward the URL to another server.

Security Problem #1: The clients URL is passed right through to the back end, including malformed URLs!!

Because Exchange is stupid, the FE server must be a member of the same domain as the BE (not just the same forest, the same domain). So, you need some 15 ports open to your DCs and GCs in order to allow the FE to communicate w/ the Domian.

Security Problem #2: The FE must be a member of the domain...thus exposing your directory (AD) to a web-box.

Because the MS Security folks aren't allowed to talk to the Exchange developers (or they won't listen--I can't tell which)...the FE and BE must have SMTP and HTTP open between them, on the standard ports, and you can't configure it to use other ports.

Security Problem #3: The FE listens on port 80, and *has* to have port 80 open back to the BE.

So, having an Exchange FE in a DMZ will make the DMZ pretty much pointless, as the private facing firewall becomes swiss cheese.
Having an Exchange FE in the private network violates the basic security principles of network architecture.

We picked option C - none of the above. We're not making Exchange available from the Internet.

You may want to look at a product from Whale Communications that we may use....

--Woodie
 
"First off, you can't install Exchange with Internet accessability, and have it secure."

Can you please elaborate on that. I mean, obviously MS uses Exchange, so why aren`t their Exchange servers successfully hacked everyday? Yes, not everything thing is made public, but it would eventually be known if can`t be secure. Headlines like: "MS Exchange is so insecure, that even MS cannot make it safe to use!"

I was under the impression that you can setup an Exchange server on one MS Win2K Server and you are off to the races! I am getting the impression that you need a PDC, Active Dir, BDC, on all seperate servers, no matter how many accounts or the amount on activity to the Exchange server.

I do not know too much about Exchange right now, but I am trying to learn for myself peice by peice for the time being.

Thanks!

P.S. What does Whale Communications have to offer? 🙂
 


<< We picked option C - none of the above. We're not making Exchange available from the Internet. >>


And you my friend win a superIQ award.

I'm serious. 🙂

<esc>\security
 
Actually my next design is

LAN with exchange as describer

a co-lo site also behind firewall

a VPN connection between the two, mail replicated through the VPN link

MX record for both IP adress, when 1 fails, the other one is the second mail server
 



<< In an effort to control viruses, share data via the personal folders and calendars, as well as use the OWA function for remote users, Exchange seemed like a good fit. >>



A firewall don't do much interm of viruses, and Exchange is virus best friend. There are many robust Linux mail server that are compatible with Outlook client, such as SUSE email, or (free) Qmail & PostFix.

There isn't a need to drop your email server into the DMZ, because you are asking for hacker. Unless it is a dedicated public email server where internal user don't have access to it to drag mud into your internal network.

What you can do is to run a Linux server and/or install email client & server virus scan software, and remember to update the definition regularly.

1. The most common way is to put it behind the firewall, Masquerade with Portwarding.

2. A little more complex way with out changing your current network setup and is more secure is Proxy ARP.

3. DMZ is the last option if the email server is purely a public email server.

 


<< "First off, you can't install Exchange with Internet accessability, and have it secure." >>



MS has been caught...this is one of the ways that they were infected by Code Red and by Nimda.



<< P.S. What does Whale Communications have to offer? >>



They have an air-gap technology tool which works w/ Exchange, to filter and allow only Exchange compliant URLs to go to the Exchange server. We should have it in house for evaluation in the next 60 days.

One more security issue that came up: If you're browsing to the Exchange server, and you click the "Logout" button, but don't close all IE processes, your cookie stays in memory, so another user can hit the "back" button, or manually put in the appropriate URL, and access your mailbox. Now, think about a user on a kiosk, which only allows a browser, and won't allow the user to close *all* instances of IE.... =8O

For the Linux suggestion...Exchange is more a group-ware product, rather than just an email server. In the "enterprise", scheduling and calendaring are very important functions provided by Exchange. (or Notes, for that matter)

--Woodie
 
I am thinking about implementing an external/DMZ SMTP/OWA server with Microsoft's URLScan
Plugin for IIS.

I am in testing with it right now and hopfully it will help weed out some of these Internet worms but then again to have something totally safe would mean you are totally out of a job 🙂
 
forcesho is completely right, don't forget to NAT and open ports corresponding ports and install antivirus.🙂
 
Service Pack 2 for Exchange 2000, which is available now BTW, corrects a decent amount of the problems I have come across in OWA.
If you want to put OWA in a DMZ, you are making alot of work for yourself. There are several ports that you will need to open on your firewall.
53 (Transmission Control Protocol [TCP], User Datagram Protocol [UDP]) - Domain Name System (DNS).
88 (Transmission Control Protocol [TCP], UDP) - Kerberos authentication.
123 (TCP) - Windows Time Synchronization Protocol (NTP). ( not sure if this is required, Id do it though.)
135 (TCP) - EndPointMapper
389 (TCP, UDP) - Lightweight Directory Access Protocol (LDAP).
445 (TCP) - Server message block (SMB) for Netlogon, LDAP conversion and distributed file system (Dfs) discovery.
3268 (TCP) - LDAP to global catalog servers
One port for the Active Directory logon and directory replication interface which is typically assigned port 1025 or 1026 during startup

Without those ports, the Exchange box wont be able to talk to your DC's on the private network.

What a hassle!

Why not put it in the private network, open port 25 and be done with it. OWA will come in on port 80, which I am guessing you have open anyhow.
 
And you would be willing to allow port 80 into your private network, pointing to an IIS server??

Not me!

--Woodie
 
I am a LAN admin and recently upgraded my network. I am set up like this; T1 -> Cisco 2600 Router -> Microsoft ISA server -> Exchange server. I use NAV for MS Exchange and it has stopped pretty much every virus except the newest ones that take a least a day for a patch. I also use OWA on the same server and it also works great. My OWA is as fast over the internet (cable modem/DSL) as accessing it on my LAN. I am very impressed!

Good Luck!
 
Where are your firewalls?

Are you using the IIS URLScan tool? (either on the ISA or the Exchange box?)

--Woodie
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top