[grr. . .html email] -----Original Message----- From: Michael Borkin [mailto:borkinat_private] Sent: Friday, February 04, 2000 4:53 AM To: firewall-wizardsat_private Subject: DMZ design - Exchange, SQL, & DCOM [SNIP] E-mail is currently handled by an Exchange Server, but is also used for services besides just internet e-mail such as public folders and internal company mail. One person therefore recommended setting up an SMTP box in the DMZ and having it dedicated to relaying internet based e-mail from the outside back through the firewall (and vice-versa) to protect the other information on the Exchange server. That sounded good to me, but later when I was discussing this with another person I got a totally different opinion. He said it was a bad idea to let another box handle the e-mail and that to have the Exchange box on the internal network would cause me to have to punch huge holes in the firewall to let certain services through. Therefore, the Exchange box needed to reside in the DMZ rather than behind it. What he said really didn't make sense to me, because I would think that it would be having the Exchange server in the DMZ that would cause me to have to punch holes rather than the other way around. But, just because I don't understand his reasoning doesn't mean he is incorrect especially since he knows a lot more about firewalling than I do, so I ask which is the better way to go? Response: That depends on the balance between security and services you're looking to achieve. If the only thing you want outsiders (ie people from the internet) to be able to do is read mail, and you just want to send and receive good old smtp/pop3 mail you should put a nice hardened smtpd/popd linux box in your DMZ; the only hole you need between your DMZ and your internal would then be smtp and pop. Your MSEXCH server in the internal should only acceept connections from iinternal and that one mail relayer. However, if you want users to be able to access the whole slew of exchange services from the internet, you've got issues. If you put it in the DMZ, you have to open up lotsa ports between your internal and DMZ, and between your external and DMZ. If you put it in your internal, you have to open up holes all the way. You can use SSL and just access the exchange server via https, but that's flaky and slow and not much better. We use citrix with secure ICA to provide exchange access to the outside world (which is not without its problems, but at least it limits exposure). For the basic specs on running exchange through a firewall, check out the MS knowledge base (query on exchange and firewalls). Particular attention must be paid to the RPC endpoint mapping service, and the fact that an exchange server MUST be a member of a domain, which causes many of the hassles. BTW, you can set up another exchange server in the dmz as a memeber of its own domain with a one way trust (ie it trusts the internal exchange server but not vice versa) and use that as a relay, but then you still have to open up several additional ports between the DMZ and external if you want to access exchange services from outside. HTH. Henry Sieff
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:57 PDT