Re: Exchange 2000 FE / BE Config Questions

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Mark Arnold [MVP] (mark_at_mvps.org)
Date: 05/28/04

Next message: Gayle Heizer [MSFT]: "RE: Recipient Policy"
Previous message: Mark Arnold [MVP]: "Re: Exchange 2003 SP1 Probs"
In reply to: David Hodgson: "Exchange 2000 FE / BE Config Questions"
Messages sorted by: [ date ] [ thread ]

Date: Fri, 28 May 2004 18:49:55 +0100

"David Hodgson" <david.hodgson@vianet.co.uk> wrote:

>Hi folks,
>
>can someone please verify that this will work for me.
>
>Domain = domain.co.uk
>Exchange 2000 FE in DMZ behind firewall with external IP address NAT'd to
>it.
>Exchange 2000 BE in Internal Network
>
>All clients will be be able to get OWA, IMAP and POP3 by connecting to FE.
>
>MX records on my ISP's DNS servers for domain domain.co.uk will use Exchange
>2000 FE external IP address.
>(If this is correct then SMTP emails will be sent to the FE server, is this
>correct? will the FE send emails to the BE server and vice versa?)
>
>Thankyou
>Dave
>
Dave, the FE is in the wrong place. It should not be in the DMZ. There
are far too many ports open from the DMZ to the LAN to make the DMZ
secure. If you must put something in the DMZ then use ISA (in a
workgroup, not the domain) and point every protocol at the ISA. ISA
can then publish those services for the users on the Internet.

If this means that you can only have an ISA and a BE then that's not a
problem for Exchange. If you do have a 3rd box then you can direct the
ISA at the internal IP of the FE.

To route the mail through one box on its way out, you create a routing
group with two members and select the FE as the local bridgehead. This
enables you to put the spam filter / disclaimer software on one box
only. Use of an RG rather than pointing the smtp VSI on the BE to a
smarthost address of the FE lets you enter such things as sender
restrictions should you have people on the lan who are not permitted
to send Internet mail.

Mark Arnold MCSA MCSE+M MVP,
FAQ: http://www.swinc.com/resource/exchange.htm
Blog: http://www.msexchange.me.uk

Next message: Gayle Heizer [MSFT]: "RE: Recipient Policy"
Previous message: Mark Arnold [MVP]: "Re: Exchange 2003 SP1 Probs"
In reply to: David Hodgson: "Exchange 2000 FE / BE Config Questions"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

RE: Back firewall wont pass traffic...
... know what the address range of the DMZ is supposed to be. ... the ISA treats your other interface as external. ... network to be routed to the gateway on the DMZ and on to the internet. ...
(microsoft.public.isa)
Re: Moving Exchange Server
... >so what you are stating is not safe at all, ... >(Internet) you have to deal with, you must look at all sides, this is why ... >DMZ, thus 0% risk/ports open between them. ... Safe mail is then sent to the Exchange servers which also have anti ...
(microsoft.public.exchange.setup)
RE: 504 Proxy timeout only with SSL traffic
... the DMZ network is considered External to the ... this may have an effect when you access the DMZ. ... And can access all other HTTPS sites on the internet? ... that there may be something wrong with the proxy engine on the ISA, ...
(microsoft.public.isa)
[fw-wiz] Exchange 2003 OWA compromise reached
... Thanks to all for your answers to my questions regarding Exchange 2003 OWA. ... Since we also want to move our ftp server onto a separate DMZ away from our ... we will attach the Microsoft ISA server outside interface to the ...
(Firewall-Wizards)
Re: Netzschema
... ich die DMZ weglasse. ... da OWA auch Exchange bedeutet und der braucht AD. ... Routinggruppe und dann verschluesselter SMTP Replikation, ... Weil der ISA macht ja bei der Installtion alle NICs dicht. ...
(microsoft.public.de.german.isaserver)