Re: Where?: DMZ, DMZ w/NAT, LAN w/NAT, Proxy and Relay...

From: Dan Wright (postmaster_at_127.0.0.1)
Date: 06/30/04 

Date: Wed, 30 Jun 2004 15:58:18 -0700

Bob,

Thanks for the reply. Looks like I have some reading to do :-)

BTW, I canceled my post here and reposted in m.p.e.design since I
thought it would be more appropriate there. I'm setting my followup
also.

How would you set this up? What do you mean by "scanner on a desktop"?

I know mail tolerably well. Setting up a SMTP realy would be easy and
I might do it anyway just to give me more control than Exchange does.
I have no idea what would be necessary to proxy for OWA though.

Management's current idea is to make everyone use OWA 90% of the time.
They saw a demo of OWA in 2003 and were impressed. I don't know much
about web serving from Windows and what I did know is several years
old. IIS used to be a favorite way to crack a server. I really hate
to expose it to the net, but maybe that has changed. Is IIS better
than it used to be? I know a lot of people use ISA. I was so burned
by proxy server I have never put in an ISA box.

Again, what would you do?

Thanks again,

Dan

In article <1C076EB1-E7C4-4F1D-ACC9-DC66BE643CF4@microsoft.com>, Bob
Christian II <BobChristianII@discussions.microsoft.com> wrote:

> Dan:
> This might be a good place to start.
>
> http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/default.msp
> x
>
> It is much easier(and safer) with a front-end (even a scanner on a desktop)
> that faces the "Net". However, Exchange can happily sit in the DMZ with the
> proper routing configured for the client systems as well as the AD DC/GC.
> Now, this does take a lot of planning and some testing in order to be secure.
>
> Bob
>
>
> "Dan Wright" wrote:
>
> > Greetings,
> >
> > I am revamping my topology and wondering where to put the mail server.
> > It is not Exchange now but probably will be within a year.
> >
> > We are not big enough for a front end/back end deployment so lets get
> > that idea off the table. The client has no IT staff and less than a
> > hundred users. Two Exchange servers will not fly. It might be the
> > right thing to do but we don't always get to do the right thing. Darn
> > Real World[TM].
> >
> > My DMZ options on the firewall (SonicWall 4060) are NAT, bridged off
> > one WAN, or routed. I doubt I can get the IP space I need from the ISP
> > so I am stuck with bridged or NAT'd. I'm worried about bridged with
> > two WAN links. It should work but it makes me nervous. I am looking
> > for anyone who is using a SonicWall transparent DMZ with load balancing
> > on two WAN interfaces. Please let me know if you have this
> > configuration.
> >
> > With my first three choices unavailable I am stuck thinking about NAT'd
> > DMZ vs. port forwarding to the LAN vs. a relay/proxy server. My
> > preference would be to put the Exchange server in the DMZ and NAT it.
> > LAN is 10.1.0.0/16. DMZ would be 10.100.0.0/16. Let the firewall
> > route between the subnets and hope I can open all the ports it needs.
> > I tried to do this once before with a directory server in the DMZ and
> > never did get it talking reliably to the LAN. Where can I find a good
> > whitepaper (or ideally a recipe?) Having failed before I am nervous
> > about doing this with a production server.
> >
> > What would you do?
> >
> > How does Exchange play with AD when they are in different subnets? How
> > many ports are used? Are they all static? If not can I make them
> > static?
> >
> > I could also do a proxy/relay server if I have to. The hardware would
> > have to be low end. How well would that work? I was burned so badly
> > by proxy server back in the NT4 days that I haven't touched it since.
> > I might do Communigate (a fantastic little mail server) for the relay
> > but I don't know what to use for the proxy.
> >
> > Any advice (and especially pointers to research material) will be
> > greatly appreciated.
> >
> > Thanks in advance,
> >
> > Dan
> >