SSL -----Original Message----- From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 5:48 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K
How do you guys secure exchange with OWA and POP/IMAP if you don't put it in a DMZ? Matt -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 8:44 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K There should be a rotating tag line appended to each message; "Exchange doesn't belong in the DMZ" "PST=BAD" "BLB=BAD" Etc -----Original Message----- From: missy koslosky [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 5:22 AM To: Exchange Discussions Subject: Re: Front-End/Back-End Topology - Ex2K Go with your instincts. Keep it out of the DMZ. There's lots of history on this in the archives of this list. Missy ----- Original Message ----- From: "Myles, Damian" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Monday, March 18, 2002 7:47 AM Subject: Front-End/Back-End Topology - Ex2K Posted this on the ISA forums a few days ago, but thought it might be an idea to post for discussion. A while back I tested a FE/BE topology with the FE server sitting on or DMZ, opening numerous ports on our interior firewall to allow AD/GC lookups through etc. Now it comes to actual putting these fruits of labour into practice in a production environment, I'm far from convinced of the rationale of placing a FE server on a DMZ, given the security implications of doing so with regards the numerous open ports. I'm more inclined to allow to publish the front-end server (on our LAN) and allow remote users to connect through HTTPS, secured behind ISA, acknowledging there is always a risk putting Internet-accessed resources on a production LAN. Since this is a back-to-back firewall, the following ports would need to be opened Exterior Firewall ----------------- 443/TCP HTTPS 25/TCP SMTP 993/TCP IMAPS Interior Firewall ----------------- 80/TCP HTTP 143/TCP IMAP 25/TCP SMTP 389/TCP LDAP 389/UDP LDAP 3268/TCP 88/TCP KERBEROS 88/UDP KERBEROS 53/TCP DNS 53/UDP DNS 135/TCP RPC 445/TCP NETLOGON I know a lot of the above can be secured over SSL and RPC limited to a single port (rather than anything above 1024), and that I can tunnel HTTP through IPSEC or VPN. However, since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. Would appreciate any feedback on this and to find out what the general consensus of opinion is? Regards Mylo _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
