Re: Moving Exchange Server

From: Dan (Dan_at_discussions.microsoft.com)
Date: 01/07/05

• Next message: strongline: "Re: can't complete step 16 of kb822450"
• Previous message: Maurizio Cucchiara: "for very expert"
• In reply to: Steve: "Re: Moving Exchange Server"
• Next in thread: Mark Arnold [MVP]: "Re: Moving Exchange Server"
• Reply: Mark Arnold [MVP]: "Re: Moving Exchange Server"
• Messages sorted by: [ date ] [ thread ]

Date: Thu, 6 Jan 2005 20:25:02 -0800

Placing them in the LAN gives internal users 100% access with no firewall to
protect against viruses or anything an internal user desires to do to them,
so what you are stating is not safe at all, they are wide open! How do you
keep the servers safe from Internal users? It is not just external users
(Internet) you have to deal with, you must look at all sides, this is why
there IS a DMZ! External users access the FE Exchange via HTTPS, so
everything is encrypted and only one port is open to all users, internal or
otherwise. The communication between BE and FE are on the same switch in the
DMZ, thus 0% risk/ports open between them. You never want to open ANY ports
on the LAN. This is just common security 101.

What I need is to consolidate AD to one domain and ensure that everything
will work properly. If Microsoft Exchange and/or Active Directory cannot run
in the DMZ, then I need to know how I need to make it secure, because placing
it in the LAN is not secure in my mind.

Do I remove the child domain and then add AD to the LAN as the root?
Then reload the AD for the root (after waiting 24 hours for replication) as
a second server in the LAN?

But then this opens up more holes between the DMZ and the LAN...so I am just
not sure how you allow communicaton to work 100% correctly without a VPN
connection for all external users and budgets will not allow this...so how do
you allow POP3 SSL or Exchange Services to run and be protected and have
authentication work properly? The books and Microsft techs are conflicting
and they keep changing their minds...

If this were a new install, what is the best (most secure) method for AD and
Exchange? I do not see how an external user could damage a FE exchange server
as they must have a password to gain access and only 1 port is open to the
outside.

ok now I am just rambling on again... could someone give me a straight
answer on this one? What is the most secure method to deploy, regardless of
cost...the ideal to keep BOTH internal and external users in check...

Dan

"Steve" wrote:

> Dan,
> Maybe this will help clear up things;
> 1. Mark is right - put both the Front and Backend server in your trusted
> LAN (yes, that is not how it was previously recommended). Here's why. When
> people connect to the FE (front end exchange server) they are coming in over
> port 443 SSL so you only have one "hole".
> Communication between the FE and BE opens up a whole bunch of "holes" from
> the DMZ to your Trusted LAN in the old config where a FE is in the DMZ. What
> was happening is most people put lots of different types of servers in a
> single DMZ and now all kinds of "holes" are open from Untrusted to the DMZ.
> Hackers get in through another one of these "holes" that your other server
> uses and now can get from the DMZ to Trusted a lot easier. Granted if only
> your only using a FE in the DMZ then leave it there or if you have enough
> money (like some big companies do) then segment your DMZ and make one
> specific for only your FE farm
>
> 3. The ISA is for if you have your FE in the Trusted zone
>
> "Dan" wrote:
>
> > Hmm....
> >
> > 1. Where do I put the frontend and backend for exchange? Based on the Exam
> > 70-284 Exchange Server 2003 Microsoft book, they state to place the front-end
> > in the DMZ and the backend in the LAN, but placing it directly on the
> > Internet is better? Not understanding this thought process. Security is the
> > goal.
> >
> > 2. Removing the child domain so that only root.com exists will not cause any
> > issues when I move the exchange server from the dmz (192.168.0.0) to the lan
> > (172.16.0.0)? What about the AD Server itself...changing the root.com IP
> > Address may cause some issues right? Can you give me more detail on what
> > where and how?
> >
> > 3. Our firewall has an SMTP Proxy, so leaving the SMTP in the DMZ should be
> > fine, especially since it has antivirus and antispam, etc. on it. No need for
> > ISA.
> >
> > 4. When clients go out to the Intranet: ie www.root.com/exchange, they get
> > served the public IP address that is registered and since the firewall will
> > not allow traffic to go out from an internal address and back in to the DMZ,
> > you must get internal address first, else they will never reach the site.
> > Would it be better to disable the internal DMZ network (ie 192.168.0.0) and
> > go with the external, thus no internal address is required? This should work
> > very well, but only if I can easily change the IP Addresses on the Exchange
> > Servers, Active Directory Servers and not have huge heachaches or downtime.
> >
> > 5. Should I just demote the child domain and then install a new Active
> > Directory Server in the LAN (172.16.0.0) and wait a day for it to replicate,
> > then reinstall the other Active Directory Server in the LAN? Then all I need
> > to do is move the Exchange to the LAN and I am done. Right?
> >
> >
> > "Mark Arnold [MVP]" wrote:
> >
> > > On Thu, 6 Jan 2005 11:55:03 -0800, Dan <Dan@discussions.microsoft.com>
> > > wrote:
> > >
> > > >So you recommend to keep everything in the DMZ and remove AD from the server
> > > >on the LAN side to kill the child?
> > >
> > > No, get everything out of the DMZ except perhaps this smtp gateway (if
> > > it is a separate box) and make that box an ISA server. The DMZ is no
> > > place for an Exchange environment.
> > > >
> > > >Then make any changes to the clients as needed and have them login to only
> > > >the domain.com?
> > >
> > > Yes, change the environment so you only have root.com, decomissioning
> > > child.root.com in the process.
> > >
> > > >
> > > >What about the 1-1 NAT DNS issue? I am confused on why they are recieving
> > > >the external addresses first, since they are all on a 192.168.0.0 network?
> > >
> > > Explain that a little more for me will you ?
> > > >
> > > >Any tips on this one?
> > >
> > > >> >situation? Also, would it be better to have just one domain instead of the
> > > >> >parent-child domains? This way we could build in some protection for the
> > > >> >Active Directory by having two servers to handle one domain?
> > > >> >
> > > >> >Please help.
> > > >> >
> > > >> >Dan
> > > >>
> > > >> No, have both Exchange servers and the DC in the DMZ.
> > > >> If you want something in the DMZ then use an ISA server in its own
> > > >> workgroup in the DMZ. Use the articles on www.isaserver.org to publish
> > > >> the OWA.
> > > >> Ditch the parent/child domain in favour of a single domain.
> > > >>
> > > >> You can move all the servers you want and change the IP addresses and
> > > >> DNS/WINS configurations etc.
> > > >> This is the most back to front network I've seen (this week)
> > > >>
> > > >>
> > >
> > >

• Next message: strongline: "Re: can't complete step 16 of kb822450"
• Previous message: Maurizio Cucchiara: "for very expert"
• In reply to: Steve: "Re: Moving Exchange Server"
• Next in thread: Mark Arnold [MVP]: "Re: Moving Exchange Server"
• Reply: Mark Arnold [MVP]: "Re: Moving Exchange Server"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint