Greetings!
Al Saenz wrote:
> I have an MS Exchange Server. I know there has been mention in the past
> about have some kind of Exchange relay server in the DMZ while your actual
> E-mail server is in your protected LAN.
> I am wanting to let mobile users check email.
I hope you won't want to let them use MAPI via the internet?! Because if so,
you will need to allow them NBT into the DMZ and to your DC (read: NBT into
internal network). If so, a firewall won't help you much. If mail access
from the internet is a must, restrict that to POP or IMAP, and SMTP.
The big disadvantage of an MS Exchange server in the DMZ is that you will have
to allow NBT traffic to/from at least one DC on your internal network for it
to make it work. With this, you forgo nearly all advantages a DMZ might get
you.
Without accessing internal mail from the internet, I'd recommend to put a
"dumb", bastioned SMTP server as mail relay into the DMZ (configured for
safety and against open relaying). With this you can leave the Exchange
server on the inside network without any need dor NBT traffic to or from the
DMZ. If you replace that SMTP relay/proxy with a SMTP virus scanning server,
you can kill two birds with one stone...
I'd highly recommend the solution with a bastioned proxy/relay in the DMZ. If
you need mobile users to access their mail, I'd recommend a (token-based &
VPN) secure(d) dialin pool on the inside of your network.
Bye
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
--------------------------------------------
Sr. Security Engineer Tel. +49-69-92901-570
--------------------------------------------
Global One
Global Security
Global Service Engineering
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
