Re: Where do I put Exchange Server?
From: Sam (sam_at_iQinternet.com)
Date: 05/15/04
- Next message: Tristan Kington [MSFT]: "Re: Where do I put Exchange Server?"
- Previous message: Lois: "Cant access FTP Site"
- In reply to: Tristan Kington [MSFT]: "Re: Where do I put Exchange Server?"
- Next in thread: Tristan Kington [MSFT]: "Re: Where do I put Exchange Server?"
- Reply: Tristan Kington [MSFT]: "Re: Where do I put Exchange Server?"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 15 May 2004 00:31:20 -0400
Hi,
I think it's important to follow some "best practices" from Microsoft rather
than follow our own ideas which may make perfect sense to us. I have a bunch
of related questions:
1. Is anyone aware of any "templates" Microsoft published about how to best
set up a secure network? This would really take the guesswork out of the
equation.
2. Does anyone know if there will be better application protection in the
DMZ in ISA Server 2004?
3. Speaking of ISA Server 2004, I saw some screen shots of it. MS seems to
have "templates" in ISA 2004. This is really a wonderful idea. Again, it
just takes the guesswork out of the equation.
The research I've done seems to indicate that everyone recommends keeping
Exchange in the internal. One interesting idea was to have an IIS machine in
the DMZ that would act as a front end to Exchange OWA. This makes a lot of
sense. Instead of keeping a full blown Exchange in the DMZ, it's a lot more
cost efficient to keep an IIS in the DMZ. I wonder if I could use Windows
Server 2003 Web Edition for this purpose. I think W2K3 Web Edition is one of
the best ideas MS came up with.
Again, I'd appreciate your thoughts on these points. Thank you all...
Sam
"Tristan Kington [MSFT]" <tristank@online.microsoft.com> wrote in message
news:OnmeIGLOEHA.2100@TK2MSFTNGP11.phx.gbl...
> Just to chime in with my two cents' worth:
>
> ISA provides application-layer filtering protection for servers that are
on
> its internal network only. The only protection provided to perimeter
> networks is packet filtering, for which you might as well just use a
router
> with packet filters.
>
> The ISA DMZ (perimeter network) is actually NATted to the internal
network,
> so domain members generally won't be able to sit there without issue
> (domains weren't designed to be NATted).
>
> So, depending on how your DMZ is defined (is this the ISA DMZ or a
> pre-existing DMZ in which the ISA is a member?), you actually get better
> protection and less hassle when publishing a server behind the ISA server,
> rather than "to the side" of the ISA Server, and provide better service to
> clients while doing this.
>
> If you've multiple firewalls and an existing DMZ already, add ISA to the
DMZ
> as a secured publishing host between the external firewall and the inner
> network; you can filter the traffic on the way in and out. If you're just
> using one ISA Server, you'll have less setup and maintenance hassles by
> publishing internal servers than putting them in a DMZ, and you'll
> potentially be able to benefit from pre-authentication of web requests for
> OWA and other web sites as well (without going into the SMTP filtering
etc -
> or even add more hosts/services to do the SMTP filtering).
>
> Essentially, at some point the data from outside needs to get inside; how
> well-scrubbed it is by that time is up to you!
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Sam" <sam@iQinternet.com> wrote in message
> news:ePY%23%23TeNEHA.2884@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> Where should I put our Exchange Server, on the Internal network or the
DMZ?
> Thanks.
>
> Sam
>
>
>
- Next message: Tristan Kington [MSFT]: "Re: Where do I put Exchange Server?"
- Previous message: Lois: "Cant access FTP Site"
- In reply to: Tristan Kington [MSFT]: "Re: Where do I put Exchange Server?"
- Next in thread: Tristan Kington [MSFT]: "Re: Where do I put Exchange Server?"
- Reply: Tristan Kington [MSFT]: "Re: Where do I put Exchange Server?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
