Re: OK, I'm sold on SBS2003 now
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Sep 2005 00:59:10 -0400
In news:MPG.1d991d33a3ee0c7798a0ce@xxxxxxxxxxxxxxxxxxxxxxxxxxx,
Leythos <void@xxxxxxxxxxx> typed:
> In article <OL#Y7VTvFHA.3860@xxxxxxxxxxxxxxxxxxxx>,
> lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx says...
>>
>>
>> In news:MPG.1d96702ba38d325b98a0aa@xxxxxxxxxxxxxxxxxxxxxxxxxxx,
>> Leythos <void@xxxxxxxxxxx> typed:
>>> In article <ex69oM4uFHA.1256@xxxxxxxxxxxxxxxxxxxx>,
>>> okf22@xxxxxxxxxxx says...
>>>> I would not put SQL in there
>>>
>>> I don't know WHERE where is that you are replying about.
>>>
>>> DC = LAN
>>> SQL = LAN
>>> Exchange = DMZ
>>>
>>> I'm not talking about a DMZ in the same network, I'm strictly
>>> talking about a real DMZ with a different network.
>>
>> Why a DMZ at all? What's it facing? What's the purpose?
>
> Do you not understand network security?
Well, I'd like to think I at least dabble in it, and my cllients' networks
have never yet been hit with anything at all, for what it's worth. Call it
luck, skill, or a combination of both, but this is a fact. Sarcasm tags on
or off, as you choose. ;)
>
> The DMZ is where you place nodes that have public facing services
> offered. A web server belongs in the DMZ, not in the LAN.
Yes. A regular web server - absolutely. In a perfect world, I could run OWA
on a dedicated non-MS webserver. I can't, and my clients want OWA, so I do
what I can to provide them with the functionality they wish, with the
security I can assign.
>
> An Exchange server, for a single server, works very nicely in the DMZ
> as long as you have the rules setup that the LAN side must contact the
> Exchange server in the DMZ before the exchange server can communicate
> with the LAN devices.
Actually, this is not by any means considered a 'best practice' config for
Exchange server. Ask any of the gurus in the Exchange groups, or the MS
Exchange folks themselves. If you want a front-end/back-end config for OWA,
you can use ISA....if you don't want to expose your production Exchange box
to the Internet for mail, stick a Postfix (or similar) box in your DMZ, and
relay mail from it to the Exchange box...on the LAN.
Putting Exchange in a DMZ means poking so many holes in your DMZ that it
isn't really a DMZ anymore. I wouldn't do it myself.
>
> Since I don't put Exchange servers in the same Domain as the LAN
> computers, it's very simple to maintain control of users
> login/passwords for the exchange server and still provide a less
> exposed service to the rest of the network. Since the exchange server
> can't contact the LAN without an Invite, it means that should the
> exchange server be compromised, that it can't reach the LAN systems,
> even if it could, the security accounts don't match between then (no
> users with the same account/password) so it can't reach in that way
> either.
Your mileage may vary. Like I said, this is not a generally recommended
config.
.
- References:
- Re: OK, I'm sold on SBS2003 now
- From: Lanwench [MVP - Exchange]
- Re: OK, I'm sold on SBS2003 now
- From: Peter Foldes
- Re: OK, I'm sold on SBS2003 now
- From: Lanwench [MVP - Exchange]
- Re: OK, I'm sold on SBS2003 now
- Prev by Date: RE: web site: exchange-oma
- Next by Date: Re: outlook user can't open or save file...
- Previous by thread: Re: OK, I'm sold on SBS2003 now
- Next by thread: Re: OK, I'm sold on SBS2003 now
- Index(es):
Relevant Pages
|
