Re: Front-End server question

From: Michael Mendoza (MichaelMendoza_at_discussions.microsoft.com)
Date: 03/04/05

  • Next message: Al Mulnick: "Re: Front-End server question" 
    Date: Fri, 4 Mar 2005 14:43:03 -0800

    Ok I may have been able to persuade my boss to spring for ISA. So would ISA
    sit in the DMZ and send smtp and http/https traffic to the exchange server on
    the inside? If it does sit in the DMZ, does it have to be a domain member as
    is the case w/ an exchange fe? Thanks Al.

    Michael

    "Al Mulnick" wrote:

    > That's just it, you wouldn't have the same ports and you'd be looking for
    > 'intent' of the payload for any malicious-ness.
    >
    > > Also, if the consensus is that the fe should go on the inside of the
    > > network, wouldn't that render the point of the fe (in my case at least
    > > with
    > > only one back end server) moot?
    >
    > Yep, it would absolutely render the point moot [1]. Since your DMZ is no
    > longer acting like a DMZ a la Ed's description: traffic would originate from
    > the DMZ and have an expected path. You wouldn't know the good from the bad
    > in most cases.
    >
    > Not sure why sales recommended that solution to you. Maybe some other
    > details pointed them in that direction? Maybe ISA wasn't an option?
    >
    > Was it me, I'd trade the FE server for the ISA in a single Exchange server
    > environment. That's me though. I can't see a point in a FE server in that
    > environment.
    >
    > [1] OK, so the user would have access to only your DC's, DNS, GC's, etc and
    > not other apps directly [2]
    > [2] They'd have to hack a DC or DNS or Exchange server to gain unrestricted
    > access in most environments if you left the FE server in the DMZ. Still not
    > usually trivial, but the stakes are much much higher for the work.
    >
    >
    > "Michael Mendoza" <MichaelMendoza@discussions.microsoft.com> wrote in
    > message news:E951556D-B732-4226-A1F1-420C5C69FADD@microsoft.com...
    > > So how is putting the FE inside the network any better than having it in
    > > the
    > > DMZ? Depending on your situation you'd still have the same ports (80, 25
    > > etc) open regardless of its location in the network.
    > >
    > > This thread is of particular interest to me as I'm about to deploy
    > > exchange
    > > and am struggling to come up with the 'best' way to set this up. MS sales
    > > recommended a single fe server to go along w/ our single backend server.
    > > I
    > > don't have an ISA server and am fairly sure I will not be able to get one.
    > > I
    > > have a PIX and had planned on putting the FE in the DMZ and was going to
    > > open
    > > up the necessary holes to allow this to work. So now I'm just trying to
    > > get
    > > a consensus on what would be the best way to set this up?
    > >
    > > Also, if the consensus is that the fe should go on the inside of the
    > > network, wouldn't that render the point of the fe (in my case at least
    > > with
    > > only one back end server) moot?
    > >
    > > Thanks for your help.
    > >
    > >
    > > Michael
    > >
    > > "Ed Woodrick" wrote:
    > >
    > >> DMZs were originally created as an area in which things could terminate,
    > >> but
    > >> not originate. FTP for example is a good example. You stick a FTP server
    > >> in
    > >> the DMZ, people can leave things on it, people could pick things up from
    > >> it.
    > >> But no matter what the situation, no connections can exit the DMZ, which
    > >> also means that nothing can transit the DMZ.
    > >>
    > >> So putting a member server in the DMZ pretty well blows any concept of
    > >> security that you might have. If the member server gets compromised, then
    > >> it
    > >> has free reign to the intranet, as if the firewall didn't exist at all.
    > >> IPSec doesn't do anything to help the situation, just makes people think
    > >> that something is secure.
    > >>
    > >>
    > >>
    > >> "Al Mulnick" <amulnick_No_SPAM@ncDOTrr.com> wrote in message
    > >> news:uJtP7gAIFHA.1528@TK2MSFTNGP09.phx.gbl...
    > >> >
    > >> > Note that *some* would argue that if you had an application layer
    > >> > firewall, you wouldn't really need a DMZ. A DMZ would be an archaic
    > >> > throwback since it's job is to allow you to cutoff conversation from
    > >> > the
    > >> > untrusted to the trusted (soft squishy core). I still see some value
    > >> > in a
    > >> > DMZ myself, but just throwing that out there.
    > >> >
    > >> > Al
    > >> >
    > >> >
    > >>
    > >>
    >
    >
    >

  • Next message: Al Mulnick: "Re: Front-End server question"

    Relevant Pages

    • Re: Where do I put Exchange Server?
      ... I'm not sure of OWA can be front-ended by a lone IIS server; again, the DMZ ... isn't the right place for it with ISA 2000. ... > its internal network only. ...
      (microsoft.public.isa.configuration)
    • Re: Netzschema
      ... Wir verfolgen seit ISA 2000 den Ansatz ohne DMZ und haben jeweils auf der Internet- als auch auf der LAN-Seite Snort Sensoren. ... Stell doch deinen OWA Server in die Domain und publishe SMTP und OWA durch den ISA Server. ...
      (microsoft.public.de.german.isaserver)
    • [fw-wiz] Exchange 2003 OWA compromise reached
      ... Thanks to all for your answers to my questions regarding Exchange 2003 OWA. ... Since we also want to move our ftp server onto a separate DMZ away from our ... we will attach the Microsoft ISA server outside interface to the ...
      (Firewall-Wizards)
    • Re: Best Practices for exposing Exchange to web
      ... You suggest setting up a ISA server in the DMZ so I have a few questions. ... >>We are in the process of migrating to Exchange server and I am ...
      (microsoft.public.exchange.admin)
    • Re: Where do I put Exchange Server?
      ... DMZ in ISA Server 2004? ... Speaking of ISA Server 2004, I saw some screen shots of it. ... > its internal network only. ...
      (microsoft.public.isa.configuration)