Re: Exchange 2003 Front End/Back End Servers & Passwords

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 12/16/04 

Date: Thu, 16 Dec 2004 09:08:28 -0500

Peter Marshall wrote:
>> Not sure how as they'll be getting authenticated on your domain. I
>> think the FE server shouldn't be in your DMZ anyway - you'll have to
>> open up a lot of ports between DMZ and LAN in order for the server
>> to communicate. Sort of negates the purpose of a DMZ.
>
> The authentication was my concern - might be more sensible to post to
> an Active Directory list. The DMZ/LAN link will have to be firewall
> controlled, in the same way that we have the Web Server/Db Servers
> setup.
>

Yes - but in order for Exchange on the FE to communicate with the back end,
you have to open up a LOT between the DMZ and LAN. Do you have ISA?

>
>> You should be using good passwords on your LAN anyway - doesn't
>> matter that it's small and trusted. 8 char. minimum, complex
>> passwords, regular forced changes.
>
> True, for small & trusted team, read lazy!

Yep - but this is important, and I'd take the issue up with management. If
inbound access is a need, this needs to be addressed.
>
>
>> That said - with a small network, are you sure you even need a FE/BE
>> config?
>
> Its the security aspects of it I'm worried about - don't want to open
> up the email server to the world any more than I have to.

Yes, but you're still opening up more than you want if you poke holes
between DMZ and LAN and aren't using a good password policy.

Relevant Pages

  • Re: Web portal security
    ... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 NICs Configuration Problem
    ... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.windows.server.networking)
  • Re: Where to put the server
    ... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: [SLE] cyrus configuration
    ... >>(I really don't want plaintext passwords unless it's between my LAN and DMZ) ... I have plaintext authentication against my /etc/passwd file. ... email server and since IMAP is only from the LAN it might be OK. ... I'm still not sure how to limit a DMZ service to a LAN subnet only. ...
    (SuSE)
  • Re: Groklaws "Bias" and the SCO DDoS Attack
    ... >on the same local LAN your office machines are you can congest that ... routers, with port 80 redirected to a web server on the LAN side. ... I've also used Sonicwall DMZ routers. ...
    (comp.unix.sco.misc)