MS Exchange security question

[InlineFour]

i currently have 2 servers; one as DC and AD and the other is the exchange server. these are just at my home for learning experiences. i don't have an extra box to run ISA server like most companies would. i've come up with this alternative, put the exchange server in a DMZ. here's how it would look like in a network topology.

ISP -> router/firewall -> exchange server -> 2nd router/firewall -> client PCs and AD server

with this setup, if my public exchange becomes compromised, i still have another firewall in front of my internal network. also, do i just forward the necessary ports on router #2 in order for the exchange server to comunicate witht the AD server?

 

[FreshPrince]

your exchange will need to talk to AD so you'd have to open up a boatload of ports...

most companies implement front-end/back-end setup. less ports to open.

 

[InlineFour]

i don't have anymore spare boxes for a front-end and back-end server.

 

[BornStar]

Do you want this for external email OWA or just so your Exchange box can send and recieve email?

 

[InlineFour]

also an external email for OWA.

 

[imported_mejohnm]

Heya,

I am also playing around with these kind of setup. I only have one computer runnning AD, DNS and Exchange. This works for me because of the very small clients that are served. I have everything inside the firewall/router. It seems everything works, from OWA to secure HTTP. Yea, one server could mean problems if it is hacked or just a plain failure, but I have it backup daily and many spare parts laying around. I could run two or more servers, but I am afraid of that power bill afterwards...

MeJohnM

 

[RebateMonger]

Originally posted by: InlineFour
i don't have anymore spare boxes for a front-end and back-end server.

Just run all your servers in Virtual PC or Virtual Server. You can have as many servers as you want, as long as you have enough memory on your desktop PC. A Virtual environment is, by far, the best place to learn to manage servers. If you make a mistake, you can restore the server nearly instantly. Want to add another network card or two? It takes seconds.

Virtual PC 2004 (which I use), requires about 256MB per server (except for SBS 2003, which really needs 384MB to 512MB to run decently).

I quit building PCs a couple of years ago. Now I just build virtual PCs.

 

[InlineFour]

that's a good idea rebatemonger. i will probably run a virtual server with AD and exchange in one box with 2 seperate OS. then one box as an isa server.

 

[RebateMonger]

Originally posted by: InlineFour
that's a good idea rebatemonger. i will probably run a virtual server with AD and exchange in one box with 2 seperate OS. then one box as an isa server.

You are certainly welcome to use multiple boxes, but I do all this stuff on my single desktop PC. It's less work.

When it's all on the same PC, you can isolate the "virtual network" from the rest of your network, if you want, by using the Microsoft Loopback Adapter as a virtual network adapter.

 

[spyordie007]

Since this is all testing anyways I like the virtualization option.

Also since this is testing it would be reasonable to do away with the perimeter network and just stick the exchange box on the same LAN as your DC.

 

[FreshPrince]

Originally posted by: spyordie007
Since this is all testing anyways I like the virtualization option.

Also since this is testing it would be reasonable to do away with the perimeter network and just stick the exchange box on the same LAN as your DC.

if that's the case, I'd also recommend playing with installing your exchange box in a separate AD in the DMZ running domain trusts back to the AD in your LAN.

Microsoft claims this is the most secured way to implement exchange. We had that implemented once in our organization, but when we upgraded to 2003, we got rid of that model.

 

[spyordie007]

if that's the case, I'd also recommend playing with installing your exchange box in a separate AD in the DMZ running domain trusts back to the AD in your LAN.

Microsoft claims this is the most secured way to implement exchange. We had that implemented once in our organization, but when we upgraded to 2003, we got rid of that model.

They may have made that claim at one point in time, but nowadays they pretty much always suggest keeping Exchange on the LAN (even your front-end servers) and using an advanced firewall such as ISA to proxy requests.

 

[InlineFour]

Originally posted by: spyordie007

if that's the case, I'd also recommend playing with installing your exchange box in a separate AD in the DMZ running domain trusts back to the AD in your LAN.

Microsoft claims this is the most secured way to implement exchange. We had that implemented once in our organization, but when we upgraded to 2003, we got rid of that model.

They may have made that claim at one point in time, but nowadays they pretty much always suggest keeping Exchange on the LAN (even your front-end servers) and using an advanced firewall such as ISA to proxy requests.

so it would be something like this?

isp -> router/firewall -> isa/exchange/clients

 

[spyordie007]

No it would be more like this:
http://www.microsoft.com/technet/prodte...948228-724c-4909-95b7-8888c98723cb.gif

A little on the old side (as it would now be ISA 2004), but you get the gist of it. ISA is the firewall/router and proxies/protects the requests to your front-end server(s).

 

[FreshPrince]

Originally posted by: spyordie007
No it would be more like this:
http://www.microsoft.com/technet/prodte...948228-724c-4909-95b7-8888c98723cb.gif

A little on the old side (as it would now be ISA 2004), but you get the gist of it. ISA is the firewall/router and proxies/protects the requests to your front-end server(s).

hmm...I'm a little worried about that...

I would personally put the FE and the smtp relay server in another network other than your LAN and separated from the BE. ISA or not, why would a web server (that's basically the FE) be placed inside your LAN?

 

[spyordie007]

The FE needs quite a bit of access to the BE so you end up opening a bunch of ports if you put it out on the DMZ, in addition it needs to be on the domain so it needs access to your DCs. By the time it's all said and done there isnt a huge advantage to simply sticking your FE on a perimiter network. That is the option Microsoft recommends if you do not have ISA.

ISA is the key in the scenario above, it does filtering at a much higher level than your "standard" firewall.

 

[FreshPrince]

I've never played with ISA because I have always thought it was crap compared to other high end fws.

maybe I need to take another look.

- fp

 

[InlineFour]

i noticed that small business server 2003 combines exchange, isa, and the OS as one package. how does this compare to a setup with seperate boxes?

 

[spyordie007]

Originally posted by: FreshPrince
I've never played with ISA because I have always thought it was crap compared to other high end fws.

maybe I need to take another look.

- fp

Good start for you:
http://www.microsoft.com/isaserver/evaluation/overview/default.mspx

The big thing for an app like Exchange is that it will do application-layer inspection/protection. SSL connections (OWA or Outlook connected over HTTPS) run up to the ISA server and get torn down so even HTTPS data can get inspected.

One of the first sections on that page are on using ISA to protect access to Exchange.

 

[RebateMonger]

Originally posted by: InlineFour
i noticed that small business server 2003 combines exchange, isa, and the OS as one package. how does this compare to a setup with seperate boxes?

People can argue that one back and forth all day. SBS with ISA is designed to give the maximum security possible in combination with low cost, ease of use, and a single-server configuration.

Hackers break into servers with unpatched software and poor passwords. It's much easier to do that than get past ANY correctly-configured firewall, be it ISA on SBS, ISA on a separate box, or another, separate firewall. Only Robert Redford and John Travolta get past firewalls.

The growing problem is going to be nasty stuff that's encapsulated into allowed protocols, like HTTP and HTTPS. That's where ISA is nice. It decrypts SSL, examines the content for nasties, re-encrypts it, and THEN sends it on to the hosting server for processing. Most other firewalls can't do anything with SSL. They can't even read it.

 

[InlineFour]

do most companies who run exchange servers also use isa server as their firewall?

 

[RebateMonger]

Originally posted by: InlineFour
do most companies who run exchange servers also use isa server as their firewall?

Probably not. ISA hasn't been that popular in the past. "Most" large companies probably run hardware firewalls or Linux boxes. Most small companies use a consumer-level router or, maybe, a low-end hardware firewall.

As far as "...most companies who run exchange servers...", I've read that there are more Exchange Servers running on SBS than in the entire rest of the IT world. Large companies may only have a handful of Exchange Servers, while every single SBS install has one.

 

[InlineFour]

regarding about the companies who don't use isa firewalls, do they just have the exchange server on the same network as the AD. this also means that the exchange server would be on the same network as the client machines as well since the AD needs to communicate with the clients.

 

[RebateMonger]

There's lots of configurations. Large companies often use Front-end/Back-end Exchange Servers.

 

[spyordie007]

We dont use ISA and we dont run a FE/BE Exchange infrastructure (the FE/BE setup doesnt work well in our distributed deployment).

The solution that we opted for was to setup a dedicated mail gateway on the DMZ (not Exchange) that passes the traffic on back. It was the best option when we first set it up; however if and when we look at updating this I will likely move to bring in ISA.

do they just have the exchange server on the same network as the AD. this also means that the exchange server would be on the same network as the client machines as well since the AD needs to communicate with the clients.

Yes, there are a lot of companies that do it this way.