The reason they want to stick it in the DMZ is that a general security
practice is to put any externally accessible machine in a DMZ to limit the
ramifications if the box was to be hacked. This is great for a Web server
that doesn't need much, if any, access to the internal network, but it
really sucks for an Exchange server.
For Exchange, and OWA, you need to open so many ports to the internal
network that it almost makes more sense to put the OWA box on the internal
network and only open the SSL port from the internet. You are going to be
using SSL and nothing else right? When you are talking to your security guys
tell them that you will need to open a bunch of Exchange ports and a bunch
of ports to allow domain communication as well. That information will likely
change their minds ;)
Incidentally, the same situation applies for SMTP (IMS) Exchange servers.
You can put your IMS server in the DMZ, but you'll need to open a lot of
ports to make it work. Two better options are to place another SMTP server
in the DMZ and forward all email to that (IIS etc.), or to open only port 25
to the internal host with the IMS installed on it.
I haven't played with Exchange 2000 much but I understand the
Frontend/Backend scheme is a little better for situations like these. Can
someone else comment on that?
Phil
> We're getting ready to roll out OWA and the question was
> asked if anyone
> has ever put it in the DMZ? I'm not a security guy and not
> realy aure why
> they want to stick it there as opposed to behind the
> firewall, but I was
> asked to ask. Anyone done this? Good or bad experiences are
> welcome.
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
