Re: No front-end in DMZ
From: Boris Lokhvitsky (msexpert_at_community.nospam)
Date: Wed, 19 Jan 2005 14:26:33 -0800
Okay, this turns to be an eternal and very interesting discussion. I would
like to play a devil's advocate and defend the idea of Exchange FE in the
DMZ. Can you guys beat my arguments? Ben, Mark?
Let's assume for clarity that we consider Exchange 2003 SP1 on Windows 2003
Exchange servers and Windows 2003 domain controllers.
1. ISA server is out of consideration at all immediately. When I say "ISA"
out loud, our network security guys start having heart attacks all at once.
I can't afford to pay their hospital bills. :)
Going beyond emotions, ISA server placed in the DMZ requires (as to best
practices from MS, basing on Steve Riley's documents and presentations)
internal network card to be connected to internal network directly, thus
bypassing the firewall between internal network and DMZ. This alone cannot
be accepted. Another argument is multiple ISA vulnerabilities (the last one
described relatively recently, is still on security guys' memory).
After excluding ISA from the design, we have three options:
2. Put front-end server to internal network and open ports 443, 25, 465,
993, and 995 to it on both external and internal firewalls. (I am an
advanced guy, I assume SSL is implemented properly with all certificates, so
all traffic between external clients and the front-end is SSL based :)).
>From the security standpoint this is not so many ports; however, the
argument is - if somebody somehow compromises front-end server, they
compromise the server which is wide open into the internal network. This
means, malicious hackers can use this server to access ANY other machine on
the network. This is a no go.
3. Put front-end serevr to internal network, put SMTP gateway/proxy on the
DMZ, and open above named ports just between these two.
This is a slightly better solution. It adds to security but subtracts from
performance. Also, I don't know any really good proxy solutions that could
support all of the following: OWA, RPC over HTTPS, IMAP-S, POP-S, WebDAV
(needed for Mac based Entourage clients). So this is still open.
4. Put one front-end server on the DMZ and another front-end server on
internal network. Have all internal clients connect to internal front-end
only, and have all external clients connect to external front-end only. On
the internal firewall, open the following ports:
135, 6001, 6004 from external front-end to each back-end;
135, 389, 3268, 1025, 1026, 1031, 6004 from external front-end to domain
controllers/global catalog servers;
135, 691, 1105 from back-end servers to external front-end.
This is more ports indeed but still not THAT many more. Less than 10 ports,
Also, even if the front-end server is compromised, it only has access to the
limited number of ports on limited number of servers, and this connectivity
can be tightly controlled from the firewall.
Now, the conclusion: without considering the ISA server, option 4 seems to
be the most reasonable choice...
Now, shoot :)
(P.S. Me personally, I would indeed prefer the solution based on ISA on the
DMZ. But we live in the real world, not in the world built in accordance
with Microsoft's best practices :))
"Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote
in message news:OExbyvj$EHA.2540@TK2MSFTNGP09.phx.gbl...
> You don't need to put the Front end in the DMZ. If you do, there are a
> more security implications. If you know what you are doing, and do things
> right, putting the FE server in the DMZ can be ok, but I don't recommend
> nor does Microsoft.
> The current recommendation is to put an ISA server in your DMZ, and use
> to securely publish the FE server. If you don't have an ISA server, then
> would recommend to place your FE server in your internal network and open
> port 443 (SSL) and 25 (SMTP) to the FE server. If necessary, you can also
> open ports for IMAP and POP3. The reason for this method is that the
> End server needs to be able to talk to Active Directory as well as the
> Back-end server. If you place the FE server in the DMZ, there is a large
> list of ports that will be required to be opened. The number of ports and
> type of ports negates any security gains you might have added from putting
> the FE server in the DMZ.
> Ben Winzenz
> Exchange MVP
> "Mark" <email@example.com> wrote in message
> >> Exchange in a DMZ is a reasonably sized no.
> >> Take a look here:
> >> http://www.msexchange.org/articles_tutorials/Exchange_Server_2003/
> >> There are a number of tutorials for setting up OWA and certificates
> >> etc. Should be all you need.
> > Okay, I'm getting into this now and doing some reading. The back-end
> > front-end configuration sounds to me like the front-end server goes into
> > the
> > DMZ? Am I missing something here? Sorry for reposting/bumping this
> > response, but I was afraid it may have gotten buried.
> > Also - how necessary is the SSL on the front-end server?
> > Cheers,
> > Mark