Re: Best Practices for exposing Exchange to web
From: Mark Arnold [MVP] (mark_at_mvps.org)
Date: 02/23/05
- Next message: Kirill S. Palagin: "Re: physical/virtual memory usage problem"
- Previous message: Mark Arnold [MVP]: "Re: Clarification on Front/Back Topoplogy"
- In reply to: Jim: "Best Practices for exposing Exchange to web"
- Next in thread: Jim: "Re: Best Practices for exposing Exchange to web"
- Reply: Jim: "Re: Best Practices for exposing Exchange to web"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 23 Feb 2005 17:39:59 +0000
On Wed, 23 Feb 2005 07:14:20 -0800, "Jim" <.> wrote:
>Hello all, We currently use Lotus NOTes for e-mail and have a front end
>server in the DMZ that handles web access. This server
>communicates/replicates with the main server inside the firewall using only
>one port. Fairly secure.
>
>We are in the process of migrating to Exchange server and I am investigating
>how I'd set up the same type of functionality for Exchange. I've read on
>the Microsoft site that I should set up a front end server in the DMZ and
>open a host of ports to the internal network to facilitate the exchange
>version of the same - including what appears to be extending access to my AD
>to the DMZ. This seems a little scary opening up all these ports
>(especially exposing my AD to the DMZ) but that seems to be the
>recommendation.
>
>But, while doing this research I've found many very passionate admins,
>including several Microsoft vendors, who feel exposing all these ports is
>risky and they "strongly" recommend just opening port 80 through the
>firewall to the internal Exchange server. I understand the merits of having
>a front end server - taking some load off the internal server and all that.
>
>Can anyone please shed some light on the best way to achieve some security
>while providing access to exchange from the web?
>
>Is opening port 80 through to the internal network more or less risky than
>opening all the ports to the DMZ?
>
>Is there any way to use the front end server in the DMZ without opening so
>many ports?
>
>Any advice or description of how you do this would be appreciated!!
>
>Thanks in advance!
>Jim
>
Setting up an FE in the DMZ is no longer the recommended solution. It
certainly was in the E2K / ISA2K days but no longer with E2K3 and
ISA2K4.
For an Exchange server you don't go near TCP 80 so ignore the advice
of anyone who suggests you do. TCP 443 and use SSL is the only safe
way to go with people's email.
The best option is to set up an ISA in the DMZ and use the Form Based
Authentication publishing to provide access to the FE in the LAN.
Usually (small orgs) the ISA will be a workgroup member and you'll
just publish. But you can just as readily configure a Radius solution
and ensure that all users are fully authenticated before handing them
off to the FE. This neatly preventd DoS attacks on the FE. You'll need
experience with Radius with W2K3 but there are KB articles and papers
for that.
As for the ISA there are papers at www.isaserver.org and
www.msexchange.org to help you configure ISA to talk to FE and
confiugure the FE for SSL.
- Next message: Kirill S. Palagin: "Re: physical/virtual memory usage problem"
- Previous message: Mark Arnold [MVP]: "Re: Clarification on Front/Back Topoplogy"
- In reply to: Jim: "Best Practices for exposing Exchange to web"
- Next in thread: Jim: "Re: Best Practices for exposing Exchange to web"
- Reply: Jim: "Re: Best Practices for exposing Exchange to web"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
