Exchange behind Firewall or direct?

[mr2nut]

In the past I have worked with a few different Exchange setups. My first domain had an Exchange server with 2 NICs. One with the static IP from the ISP straight onto the net, however, most setups tend to have just a private IP (in most cases 192.168.x.x) and simply have a port forwarder on the router.

I was just wondering if there are any benefits/downfalls to each method, or any specific reason why you have to have one over the other?

[blargoe]

Always, always, protect your exchange server, don't connect it directly to the ISP's network. There's always some new security vulnerability being discovered in IIS (though not as much as in years past), and you do not want that directly on the Internet. Really port forwarding isn't enough either, you need a real firewall.

[GAngel]

As he said its a very bad idea to leave a critical system exposed on the net.

[HeroPsycho]

Quote:

Originally Posted by mr2nut

In the past I have worked with a few different Exchange setups. My first domain had an Exchange server with 2 NICs. One with the static IP from the ISP straight onto the net...

They're idiots...

[mr2nut]

Quote:

Originally Posted by GAngel

As he said its a very bad idea to leave a critical system exposed on the net.

I thought as much. However, the system did have an ISA Firewall in place in which rules were in place for the Exchange side of things. Still, I would prefer to keep my Exchange with a private IP and hide at all costs. I was just wondering about this today and thought i'd ask. Cheers

[mr2nut]

Quote:

Originally Posted by HeroPsycho

They're idiots...

Have a bit of respect. it was an inherited domain and didn't stay that way for long.

[HeroPsycho]

Quote:

Originally Posted by mr2nut

Have a bit of respect. it was an inherited domain and didn't stay that way for long.

I'm referring to whoever deployed it that way and/or defended that configuration, not those who got stuck with a bad design and had to change it. The people responsible for that design don't deserve respect unless they stood up and said, "wow, that was really dumb of us!"

[mr2nut]

Quote:

Originally Posted by HeroPsycho

I'm referring to whoever deployed it that way and/or defended that configuration, not those who got stuck with a bad design and had to change it. The people responsible for that design don't deserve respect unless they stood up and said, "wow, that was really dumb of us!"

ok fair does. And yes I agree and thought even at the time when I was new to IT that surely that wasn't a good idea. Also what I thought might be a good idea was not to challenge my IT manager as he had used it like that for a while lol

[HeroPsycho]

Quote:

Originally Posted by mr2nut

ok fair does. And yes I agree and thought even at the time when I was new to IT that surely that wasn't a good idea. Also what I thought might be a good idea was not to challenge my IT manager as he had used it like that for a while lol

Telling your bosses they're idiots is equally idiotic.

[ccie15672]

Make a DMZ sandwich.

Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.

[FadeToBright]

Quote:

Originally Posted by ccie15672

Make a DMZ sandwich.

Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.

I came here to say this

[dynamik]

Quote:

Originally Posted by FadeToBright

I came here to say this

Don't cave into peer pressure! Take a three-pronged approach, just to be different!

[HeroPsycho]

Quote:

Originally Posted by ccie15672

Make a DMZ sandwich.

Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.

An Exchange server in a DMZ segment like this, while better, it's not that beneficial as with other apps. You'll end up swiss cheesing your internal firewall so much anyway in a frontend/backend separation design. And your email is critical data anyway, so if it's your sole Exchange server, (no front-end/backend separation), you've already put critical data on a DMZ host, so you're not gaining much there either, but it's technically more secure.

A better way to go is securely publish Exchange via ISA.

You should at least have an edge firewall between Exchange and the net, no matter what.

[Daniel333]

Go ahead and give this guy a read....

http://www.microsoft.com/downloads/d...displaylang=en

[HeroPsycho]

Just remember, with Exchange 2007, the Client Access Server role, which effectively replaced the "Front End Server" in the E2K/E2K3 world, is not even supported by Microsoft in a DMZ.

http://technet.microsoft.com/en-us/l.../bb232184.aspx

Even though they were supported in the E2K/E2K3 world, as I said before, you'll end up swiss cheesing your internal firewall anyway, so there's not much of a point in doing it IMO.

Edge firewall between any Exchange server and the net? Absolutely a must.

Cascading firewalls/DMZ for your front ends? Not much good/not even supported on E2K7 and later, and I probably wouldn't do it at this point even on E2K3. If you want enhanced security to this degree, securely publish your Exchange resources with ISA 2006.

[LukeQuake]

Quote:

Originally Posted by HeroPsycho

Just remember, with Exchange 2007, the Client Access Server role, which effectively replaced the "Front End Server" in the E2K/E2K3 world, is not even supported by Microsoft in a DMZ.

Planning for Client Access Servers

Even though they were supported in the E2K/E2K3 world, as I said before, you'll end up swiss cheesing your internal firewall anyway, so there's not much of a point in doing it IMO.

Edge firewall between any Exchange server and the net? Absolutely a must.

Cascading firewalls/DMZ for your front ends? Not much good/not even supported on E2K7 and later, and I probably wouldn't do it at this point even on E2K3. If you want enhanced security to this degree, securely publish your Exchange resources with ISA 2006.

100% agreed! I was going to post something along these lines.