+ Reply to Thread
Results 1 to 16 of 16
  1. Senior Member
    Join Date
    Feb 2008
    Location
    West Yorkshire, UK
    Posts
    269

    Certifications
    A+, N+, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298. MCSE 2003! 70-620
    #1

    Default Exchange behind Firewall or direct?

    In the past I have worked with a few different Exchange setups. My first domain had an Exchange server with 2 NICs. One with the static IP from the ISP straight onto the net, however, most setups tend to have just a private IP (in most cases 192.168.x.x) and simply have a port forwarder on the router.

    I was just wondering if there are any benefits/downfalls to each method, or any specific reason why you have to have one over the other?
    Reply With Quote Quote  

  2. SS
  3. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,139

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); MCSA 2016/2012/2K3/2K; MCSE:S 2K3/2K; MCSE:M 2K3/2K; MCTS:Exch2K7; EMCSA:CLARiiON; Linux+; Security+; A+
    #2
    Always, always, protect your exchange server, don't connect it directly to the ISP's network. There's always some new security vulnerability being discovered in IIS (though not as much as in years past), and you do not want that directly on the Internet. Really port forwarding isn't enough either, you need a real firewall.
    IT guy since 12/00

    Recent: 1/29/2018 - Passed 70-743 - MCSA 2016 Complete; 1/13/2018 - Passed 70-411 - MCSA 2012 complete
    Working on: Being a better coder, build/test/deploy automation fundamentals
    Future: Renew VCP (due 2/2019), possibly with an adjacent VCP or VCAP
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Jun 2009
    Location
    Canada
    Posts
    702

    Certifications
    Most Recent: CISSP & CCDA
    #3
    As he said its a very bad idea to leave a critical system exposed on the net.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #4
    Quote Originally Posted by mr2nut View Post
    In the past I have worked with a few different Exchange setups. My first domain had an Exchange server with 2 NICs. One with the static IP from the ISP straight onto the net...
    They're idiots...
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Feb 2008
    Location
    West Yorkshire, UK
    Posts
    269

    Certifications
    A+, N+, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298. MCSE 2003! 70-620
    #5
    Quote Originally Posted by GAngel View Post
    As he said its a very bad idea to leave a critical system exposed on the net.
    I thought as much. However, the system did have an ISA Firewall in place in which rules were in place for the Exchange side of things. Still, I would prefer to keep my Exchange with a private IP and hide at all costs. I was just wondering about this today and thought i'd ask. Cheers
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Feb 2008
    Location
    West Yorkshire, UK
    Posts
    269

    Certifications
    A+, N+, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298. MCSE 2003! 70-620
    #6
    Quote Originally Posted by HeroPsycho View Post
    They're idiots...
    Have a bit of respect. it was an inherited domain and didn't stay that way for long.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #7
    Quote Originally Posted by mr2nut View Post
    Have a bit of respect. it was an inherited domain and didn't stay that way for long.
    I'm referring to whoever deployed it that way and/or defended that configuration, not those who got stuck with a bad design and had to change it. The people responsible for that design don't deserve respect unless they stood up and said, "wow, that was really dumb of us!"
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Feb 2008
    Location
    West Yorkshire, UK
    Posts
    269

    Certifications
    A+, N+, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298. MCSE 2003! 70-620
    #8
    Quote Originally Posted by HeroPsycho View Post
    I'm referring to whoever deployed it that way and/or defended that configuration, not those who got stuck with a bad design and had to change it. The people responsible for that design don't deserve respect unless they stood up and said, "wow, that was really dumb of us!"
    ok fair does. And yes I agree and thought even at the time when I was new to IT that surely that wasn't a good idea. Also what I thought might be a good idea was not to challenge my IT manager as he had used it like that for a while lol
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #9
    Quote Originally Posted by mr2nut View Post
    ok fair does. And yes I agree and thought even at the time when I was new to IT that surely that wasn't a good idea. Also what I thought might be a good idea was not to challenge my IT manager as he had used it like that for a while lol
    Telling your bosses they're idiots is equally idiotic.
    Reply With Quote Quote  

  11. Network Geek ccie15672's Avatar
    Join Date
    May 2009
    Location
    Port Washington, WI, USA
    Posts
    92

    Certifications
    CCIE #15672 (R&S, SP), JNCIE-M #721
    #10
    Make a DMZ sandwich.

    Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Mar 2008
    Posts
    1,562
    #11
    Quote Originally Posted by ccie15672 View Post
    Make a DMZ sandwich.

    Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.

    I came here to say this
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #12
    Quote Originally Posted by FadeToBright View Post
    I came here to say this
    Don't cave into peer pressure! Take a three-pronged approach, just to be different!
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #13
    Quote Originally Posted by ccie15672 View Post
    Make a DMZ sandwich.

    Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.
    An Exchange server in a DMZ segment like this, while better, it's not that beneficial as with other apps. You'll end up swiss cheesing your internal firewall so much anyway in a frontend/backend separation design. And your email is critical data anyway, so if it's your sole Exchange server, (no front-end/backend separation), you've already put critical data on a DMZ host, so you're not gaining much there either, but it's technically more secure.

    A better way to go is securely publish Exchange via ISA.

    You should at least have an edge firewall between Exchange and the net, no matter what.
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Sep 2006
    Location
    San Francisco Bay Area
    Posts
    2,048

    Certifications
    None?
    #14
    Go ahead and give this guy a read....

    http://www.microsoft.com/downloads/d...displaylang=en
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #15
    Just remember, with Exchange 2007, the Client Access Server role, which effectively replaced the "Front End Server" in the E2K/E2K3 world, is not even supported by Microsoft in a DMZ.

    http://technet.microsoft.com/en-us/l.../bb232184.aspx

    Even though they were supported in the E2K/E2K3 world, as I said before, you'll end up swiss cheesing your internal firewall anyway, so there's not much of a point in doing it IMO.

    Edge firewall between any Exchange server and the net? Absolutely a must.

    Cascading firewalls/DMZ for your front ends? Not much good/not even supported on E2K7 and later, and I probably wouldn't do it at this point even on E2K3. If you want enhanced security to this degree, securely publish your Exchange resources with ISA 2006.
    Last edited by HeroPsycho; 06-24-2009 at 02:18 PM.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Mar 2006
    Location
    The Internet
    Posts
    586

    Certifications
    See Signature
    #16
    Quote Originally Posted by HeroPsycho View Post
    Just remember, with Exchange 2007, the Client Access Server role, which effectively replaced the "Front End Server" in the E2K/E2K3 world, is not even supported by Microsoft in a DMZ.

    Planning for Client Access Servers

    Even though they were supported in the E2K/E2K3 world, as I said before, you'll end up swiss cheesing your internal firewall anyway, so there's not much of a point in doing it IMO.

    Edge firewall between any Exchange server and the net? Absolutely a must.

    Cascading firewalls/DMZ for your front ends? Not much good/not even supported on E2K7 and later, and I probably wouldn't do it at this point even on E2K3. If you want enhanced security to this degree, securely publish your Exchange resources with ISA 2006.
    100% agreed! I was going to post something along these lines.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks