Re: Where?: DMZ, DMZ w/NAT, LAN w/NAT, Proxy and Relay...
From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 06/30/04
- Next message: Lanwench [MVP - Exchange]: "Re: POP3 question"
- Previous message: Lanwench [MVP - Exchange]: "Re: Pop3 users need to relay mail - How do I set this up?"
- In reply to: Dan Wright: "Where?: DMZ, DMZ w/NAT, LAN w/NAT, Proxy and Relay..."
- Next in thread: Dan Wright: "Re: Where?: DMZ, DMZ w/NAT, LAN w/NAT, Proxy and Relay..."
- Reply: Dan Wright: "Re: Where?: DMZ, DMZ w/NAT, LAN w/NAT, Proxy and Relay..."
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 30 Jun 2004 17:52:08 -0400
Dan Wright wrote:
> Greetings,
>
> I am revamping my topology and wondering where to put the mail server.
> It is not Exchange now but probably will be within a year.
>
> We are not big enough for a front end/back end deployment so lets get
> that idea off the table. The client has no IT staff and less than a
> hundred users. Two Exchange servers will not fly. It might be the
> right thing to do but we don't always get to do the right thing. Darn
> Real World[TM].
>
> My DMZ options on the firewall (SonicWall 4060) are NAT, bridged off
> one WAN, or routed. I doubt I can get the IP space I need from the
> ISP so I am stuck with bridged or NAT'd. I'm worried about bridged
> with two WAN links. It should work but it makes me nervous. I am
> looking for anyone who is using a SonicWall transparent DMZ with load
> balancing on two WAN interfaces. Please let me know if you have this
> configuration.
I wouldn't put an Exchange server in the DMZ to begin with. You have to open
up so many ports between DMZ/LAN that you render the DMZ pretty insecure.
Why not just keep it inside your LAN?
>
> With my first three choices unavailable I am stuck thinking about
> NAT'd DMZ vs. port forwarding to the LAN vs. a relay/proxy server. My
> preference would be to put the Exchange server in the DMZ and NAT it.
> LAN is 10.1.0.0/16. DMZ would be 10.100.0.0/16. Let the firewall
> route between the subnets and hope I can open all the ports it needs.
> I tried to do this once before with a directory server in the DMZ and
> never did get it talking reliably to the LAN. Where can I find a good
> whitepaper (or ideally a recipe?) Having failed before I am nervous
> about doing this with a production server.
>
> What would you do?
>
> How does Exchange play with AD when they are in different subnets?
> How many ports are used? Are they all static? If not can I make them
> static?
>
> I could also do a proxy/relay server if I have to. The hardware would
> have to be low end. How well would that work? I was burned so badly
> by proxy server back in the NT4 days that I haven't touched it since.
> I might do Communigate (a fantastic little mail server) for the relay
> but I don't know what to use for the proxy.
>
> Any advice (and especially pointers to research material) will be
> greatly appreciated.
>
> Thanks in advance,
>
> Dan
- Next message: Lanwench [MVP - Exchange]: "Re: POP3 question"
- Previous message: Lanwench [MVP - Exchange]: "Re: Pop3 users need to relay mail - How do I set this up?"
- In reply to: Dan Wright: "Where?: DMZ, DMZ w/NAT, LAN w/NAT, Proxy and Relay..."
- Next in thread: Dan Wright: "Re: Where?: DMZ, DMZ w/NAT, LAN w/NAT, Proxy and Relay..."
- Reply: Dan Wright: "Re: Where?: DMZ, DMZ w/NAT, LAN w/NAT, Proxy and Relay..."
- Messages sorted by: [ date ] [ thread ]
