Re: Dreaded DMZ FR/BE Questions again !

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

If you're going to put a server in your DMZ, make it an ISA server instead
of a front-end Exchange server. Putting an Exchange front-end server in a
DMZ is tantamount to militarizing your DMZ. If you can't get ISA (and why
not, it doesn't cost any more than an Exchange front-end server does it?)
then any web publishing appliance is still better than a front-end server in
there. Read the KB article and see all the dangerous ports you have to open
between your DMZ and Intranet, and then show that to your security guy, and
you might be surprised how quickly he agrees. IMO it's even safer allowing
port 443 through to your Exchange server than opening those ports.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Simon" <Simon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D2F7D8A7-A5E4-4B82-B5BD-72FE7F4DC5DA@xxxxxxxxxxxxxxxx
Thank you for your kind comments.
I appreciate that this may not be the "best" method, but justifying this
ISA
against the Cisco solutions that our Network Team are aware of, is not an
option.

At the end of the day, I can only do so much, and yes the M$ paper talks
about the scenarios, and suggestions to use, even though there are
comments
about "recommend ISA".

Will go from there I think
Thanks alot
Simon

"Mark Arnold [MVP]" wrote:

On Thu, 18 Oct 2007 01:49:00 -0700, Simon
<Simon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Guys
Probably sick of this,

You have noooooo idea! :-)

but the client I am working for has a need for OWA
for a small number of people, using preconfigured Laptops that will
allow
access to the Network via 2 VPN levels of authentication.

We cannot use ISA - This is out of the question, even though the M$
white
papers do discuss this as an option.

No ISA isn't the end of the world.


Scenario:
External Firewall
Small DMZ
Second Firewall
Our Network

Clients use Laptops to VPN using hardware and software levels of
security to
connect to the Network. What I want to do is look at Ex2k3 FE Server in
a new
DMZ and then isolate this traffic to communicate with a "single" back
end
server.

There are 2 firewalls that will need to be configured. As these are
expensive solutions (Cisco) the company does not wish to spend money on
a
single ISA solution for this task.

Reading the MSExchange.org Tutorials showsing Implementation OWA and
Securiing OWA seem to be helpful. I downloaded a Microsoft White Paper
document called "Front-End and Back-End Server Topology Guide for
Microsoft
Exchange Server 2003 and Exchange 2000 Server" which gives many
scenarios for
this implementation.

As mentioned, I cannot go down the ISA Route. Seeing as the clients will
be
accessing the FE over VPN, I feel there is some good security in place.
However there "may" be a need for some users to access the FE from home,
which does mean this will not be done on their laptops, rather a HOME
PC.

Can I get some advice on this setup, to confirm if it is a workable
solution.
Thank You All

So you're after a solution where users just drive 443 straight to the
FE rather than through the VPN. Well, that's not a problem and the
FE/BE scenarios guide does publish the ports you need to have open
between the FE and the GCs as well as the BEs. Armed with this
information you could go one step further and put IPSec rules in place
to secure that traffic and isolate what the FE is allowed to talk to.

The whole FE in a DMZ thing was the solution-de-jour with Exchange
2000 so it's certainly do-able and certainly supported by the nice
people at Microsoft. Sure, they don't recommend it any more and in
Exchange 2007 you're not allowed to put a CAS in a DMZ but in 2003
it's still possible and supported.






.

Quantcast