I guess what I'm trying to do is get the most secure option with what I have. I'm at the point now where I think no matter what I'm kinda
screwed unless I get ISA or something like it implemented. I'm under the impression that IF someone does get pass the external firewall they'll be able to sniff for credentials/messages or whatever because the FE/BE communicate via clear text. So if I secure the communication between FE/BE via IPSEC then IF the front end server is compromised then we're screwed once again. So what's the better of my options? Someone suggested using m0n0wall or another linux/bsd alternative for ISA. Miha Pihler <[EMAIL PROTECTED]> wrote: Hi, The problem that I see in this scenario is that Front End needs to communicate with Back End Exchange server and domain controllers in LAN. Unfortunately this means that you have to open access from DMZ to LAN to (at least) all domain controllers in same Active Directory Site that Exchange Front End is in -- unless you want to statically specify to which domain controllers Front End Server can connect to (not recommended). If you are thinking about IPSec policies in Windows then you have to know that IPSec between client (e.g. your Front End Server) and domain controller is not supported -- specially if you plan to use IPSec with Kerberos authentication. Things you can do: - you can set up IPSec between Front End, Back End and domain controller (but you are not supportable any more) - you can fix ports that Exchange and Active Directory server(s) will use and then open these ports from DMZ to LAN Still one question remains... What is DMZs role in all this? It is unfortunately not protecting LAN :-). Now if someone hacks your server (for any reason) -- the attacker can simply use IPSec connection to gain access to Back End and Active Directory (and if you have IDS it will not even see the attack). Depending on the attack options (did the attacker get the domain admin permissions) he could simply run dcpromo on this server and promote it to domain controller. Now you have a domain controller in DMZ... Mike --------------------------------------------------------------------------- ---------------------------------------------------------------------------
