Re: DMZ and AD
From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 08/14/04
- Next message: Brian Desmond [MVP]: "Re: "[strings] section is too long" error"
- Previous message: LadyEnigma: "Re: XP SP2 Report"
- In reply to: Al Mulnick: "Re: DMZ and AD"
- Next in thread: Al Mulnick: "Re: DMZ and AD"
- Reply: Al Mulnick: "Re: DMZ and AD"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 14 Aug 2004 20:55:04 +0100
Can you clarify what you mean by an "IPSec tunnel"?
Also, is it true that all IDS systems are unable to inspect IPSec traffic if
only AH is used (i.e. no ESP).
Oli
"Al Mulnick" <amulnick_No_SPAM@ncDOTrr.com> wrote in message
news:%237BKIbigEHA.2812@tk2msftngp13.phx.gbl...
> It is simpler, but it has no ability to check for malicious intent and
> blocks your IDS from doing anything about it and they put added strain on
> your DC/GC's. I can't remember off the top of my head, but it used to be
> that you couldn't use an IPSec tunnel to an Exchange cluster, but that may
> have changed. IPSec tunnels do make it easier to traverse the firewall
> though.
>
> The recommended way to deploy Exchange to the internet, for OWA, HTTP/RPC,
> AS, SMTP, IMAP, POP3, is to use a layer-7 firewall device that can inspect
> the packets as they go by. ISA Server is one such example of how to do
> that. Makes it much more reliable as well since you don't have to worry
> about punching enough holes in your firewall to make it similar to swiss
> cheese and you won't have to worry about the latest IIS hack to have
> somebody overrun your Exchange FE server and then have full, uninterrupted
> and undetected access to your internal network via IPSec tunnels.
>
> I've always recommended ISA since it was released for those reasons. I've
> deployed the IPSec tunnels as well and there are some utilities that make
> it
> easier to deploy and troubleshoot which should be available at
> http://www.microsoft.com/security
>
> For topology and click by click ways to deploy Exchange in this scenario,
> see http://www.microsoft.com/exchange/library and have a look at the docs
> there.
>
> Shame about that consultant though, her getting away before the job was
> totally done and all ;)
>
> Al
>
>
> "Dave Shaw [MVP]" <dhshaw@NoSpam.msn.com> wrote in message
> news:%23Wr40hhgEHA.4092@TK2MSFTNGP10.phx.gbl...
>> Make your life a little simpler ...
>>
>> Use IPSec filters on the firewalls to allow traffic to and from the
>> messaging server to the domain. It's much more secure and uses many
>> fewer
>> ports.
>>
>> -ds
>>
>>
>> "C Emmons" <anonymous@discussions.microsoft.com> wrote in message
>> news:07ae01c48198$c3917b40$3a01280a@phx.gbl...
>> >I am running Exchange 2003 SP1 on Windows Server 2003. I
>> > am using the Front-End/Back-End Topology. The Exchange
>> > Front-End passes request for mail to the Back-End. I
>> > paid a consultant to come in and setup a DMZ in which the
>> > Front-End now resides. As far as I can see, the
>> > connectivity seems okay between the front and the back.
>> > However, the front-end server will not work. I get the
>> > following error:
>> >
>> > All DS Servers in domain are not responding.
>> >
>> > Outside the DMZ (IP changed back to my internal network) -
>> > everyone works fine between front and back.
>> >
>> > I have two Domain Controllers running Windows 2003 Server
>> > Enterprise (Clusters). The Exchange Server is of course
>> > in the domain, but is not a domain controller.
>> >
>> > Can anyone please help - I am trying to meet a deadline
>> > and the consultant has gone. Help much appeciated.
>> > C Emmons
>>
>>
>
>
- Next message: Brian Desmond [MVP]: "Re: "[strings] section is too long" error"
- Previous message: LadyEnigma: "Re: XP SP2 Report"
- In reply to: Al Mulnick: "Re: DMZ and AD"
- Next in thread: Al Mulnick: "Re: DMZ and AD"
- Reply: Al Mulnick: "Re: DMZ and AD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
