RE: Where?: DMZ, DMZ w/NAT, LAN w/NAT, Proxy and Relay...

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Bob Christian II (BobChristianII_at_discussions.microsoft.com)
Date: 06/30/04 

Date: Wed, 30 Jun 2004 14:21:03 -0700

Dan:
This might be a good place to start.
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/default.mspx

It is much easier(and safer) with a front-end (even a scanner on a desktop) that faces the "Net". However, Exchange can happily sit in the DMZ with the proper routing configured for the client systems as well as the AD DC/GC. Now, this does take a lot of planning and some testing in order to be secure.

Bob

"Dan Wright" wrote:

> Greetings,
>
> I am revamping my topology and wondering where to put the mail server.
> It is not Exchange now but probably will be within a year.
>
> We are not big enough for a front end/back end deployment so lets get
> that idea off the table. The client has no IT staff and less than a
> hundred users. Two Exchange servers will not fly. It might be the
> right thing to do but we don't always get to do the right thing. Darn
> Real World[TM].
>
> My DMZ options on the firewall (SonicWall 4060) are NAT, bridged off
> one WAN, or routed. I doubt I can get the IP space I need from the ISP
> so I am stuck with bridged or NAT'd. I'm worried about bridged with
> two WAN links. It should work but it makes me nervous. I am looking
> for anyone who is using a SonicWall transparent DMZ with load balancing
> on two WAN interfaces. Please let me know if you have this
> configuration.
>
> With my first three choices unavailable I am stuck thinking about NAT'd
> DMZ vs. port forwarding to the LAN vs. a relay/proxy server. My
> preference would be to put the Exchange server in the DMZ and NAT it.
> LAN is 10.1.0.0/16. DMZ would be 10.100.0.0/16. Let the firewall
> route between the subnets and hope I can open all the ports it needs.
> I tried to do this once before with a directory server in the DMZ and
> never did get it talking reliably to the LAN. Where can I find a good
> whitepaper (or ideally a recipe?) Having failed before I am nervous
> about doing this with a production server.
>
> What would you do?
>
> How does Exchange play with AD when they are in different subnets? How
> many ports are used? Are they all static? If not can I make them
> static?
>
> I could also do a proxy/relay server if I have to. The hardware would
> have to be low end. How well would that work? I was burned so badly
> by proxy server back in the NT4 days that I haven't touched it since.
> I might do Communigate (a fantastic little mail server) for the relay
> but I don't know what to use for the proxy.
>
> Any advice (and especially pointers to research material) will be
> greatly appreciated.
>
> Thanks in advance,
>
> Dan
>

Quantcast