Re: Moving Exchange Server
From: Mark Arnold [MVP] (mark_at_mvps.org)
Date: 01/07/05
- Next message: Dan: "Re: Moving Exchange Server"
- Previous message: Mark Arnold [MVP]: "Re: routing non-existent local accounts to external SMPT-server?"
- In reply to: Dan: "Re: Moving Exchange Server"
- Next in thread: Dan: "Re: Moving Exchange Server"
- Reply: Dan: "Re: Moving Exchange Server"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 07 Jan 2005 13:26:39 +0000
On Thu, 6 Jan 2005 20:25:02 -0800, Dan <Dan@discussions.microsoft.com>
wrote:
>Placing them in the LAN gives internal users 100% access with no firewall to
>protect against viruses or anything an internal user desires to do to them,
>so what you are stating is not safe at all, they are wide open! How do you
>keep the servers safe from Internal users? It is not just external users
>(Internet) you have to deal with, you must look at all sides, this is why
>there IS a DMZ! External users access the FE Exchange via HTTPS, so
>everything is encrypted and only one port is open to all users, internal or
>otherwise. The communication between BE and FE are on the same switch in the
>DMZ, thus 0% risk/ports open between them. You never want to open ANY ports
>on the LAN. This is just common security 101.
I think you misunderstand what the DMZ is for, or we misunderstand
what you have actually done.
1. The ISA Server and/or smtp gateway located in the DMZ receives all
the inbound mail and scans it using a packlage of your choice.
2. Safe mail is then sent to the Exchange servers which also have anti
virus installed.
3. The clients, which also have anti virus communicate with each other
and the Exchange server in a safe, virus free manner.
If you only have TCP443 permitted from the perimiter into the DMZ then
the DMZ isn't a DMZ, it's a badly segmented section of LAN and you
might as well collapse these two lan segments into one.
>
>What I need is to consolidate AD to one domain and ensure that everything
>will work properly. If Microsoft Exchange and/or Active Directory cannot run
>in the DMZ, then I need to know how I need to make it secure, because placing
>it in the LAN is not secure in my mind.
>
>Do I remove the child domain and then add AD to the LAN as the root?
>Then reload the AD for the root (after waiting 24 hours for replication) as
>a second server in the LAN?
>
>But then this opens up more holes between the DMZ and the LAN...so I am just
>not sure how you allow communicaton to work 100% correctly without a VPN
>connection for all external users and budgets will not allow this...so how do
>you allow POP3 SSL or Exchange Services to run and be protected and have
>authentication work properly? The books and Microsft techs are conflicting
>and they keep changing their minds...
>
>If this were a new install, what is the best (most secure) method for AD and
>Exchange? I do not see how an external user could damage a FE exchange server
>as they must have a password to gain access and only 1 port is open to the
>outside.
>
>ok now I am just rambling on again... could someone give me a straight
>answer on this one? What is the most secure method to deploy, regardless of
>cost...the ideal to keep BOTH internal and external users in check...
>
>Dan
>
>
Please see www.msexchange.me.uk/drawing12.jpg
This shows what your network should look like and yes, it's safe.
Properly configure the firewall to send all traffic to the ISA.
Properly configure the ISA to publish the OWA and RPC over HTTPS and
the POP etc. etc.
- Next message: Dan: "Re: Moving Exchange Server"
- Previous message: Mark Arnold [MVP]: "Re: routing non-existent local accounts to external SMPT-server?"
- In reply to: Dan: "Re: Moving Exchange Server"
- Next in thread: Dan: "Re: Moving Exchange Server"
- Reply: Dan: "Re: Moving Exchange Server"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
