Whenever I've partnered with Microsoft Consulting Services, they've agreed with me that it isn't the best idea to put front-end servers in the DMZ. But some organizations are hell-bent on doing it their way. It isn't that it's the "Microsoft Way", but if a customer demands it their way, Microsoft is being customer-focused to help them not screw it up too bad.
Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Blackstone Sent: Tuesday, December 09, 2003 8:24 AM To: Exchange Discussions Subject: RE: OWA and SMTP Or my favorite: There is the right way, the wrong way, or the Microsoft way. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP I'm reminded of the character Yogourt in Spaceballs the Movie, "It's all about the merchandising". Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner & White (317) 581-1580 ext 418 -----Original Message----- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -----Original Message----- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -----Original Message----- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to "publish" the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner & White (317) 581-1580 ext 418 -----Original Message----- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -----Original Message----- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a "few others". Those "few" other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner & White (317) 581-1580 ext 418 -----Original Message----- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -----Original Message----- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
