Oh, those guys. Draw a network diagram for them that shows how it is now, and how it will be if you move it. Be sure to outline all the ports that will need to be opened up between the DMZ and the inside network to talk to the domain.
Yes, if you have it in the internal network, once they break in, they're in. BUT, if you put it in the DMZ, the same is essentially true based on all the open ports. PLUS, you run an even greater risk of misconfiguration, which is sure to have security implications. Two ports through the firewall is way less risky than the particular alternative that you are contemplating. Go get an IPS and have it inspect the traffic to that box if they're that concerned about it. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Wed, Jan 25, 2012 at 1:48 PM, [email protected] <[email protected]> wrote: > NCUA audtiors want to know why we don't have it is our DMZ currently.**** > > At one point I knew an answer but today I don't have a clue.**** > > I know the user access OWA or activesync throught he outside interface of > the Firewall.**** > > The Firewall NAT's/PAT's the address to my local Lan. The outside > interface has a Cert from GoDaddy.**** > > Is that really enough? Only access to port 25 or 443 is allowed through > the firewall.**** > > ** ** > > ** ** > > *From:* Andrew S. Baker [mailto:[email protected]] > *Posted At:* Wednesday, January 25, 2012 10:19 AM > *Posted To:* [email protected] > *Conversation:* Moving Exchange 2003 into a DMZ > *Subject:* Re: Moving Exchange 2003 into a DMZ**** > > ** ** > > Why would you do that?**** > > ** ** > > How many ports do you intend to connect from the internet to the Exchange > box? > > And how many are you going to have to open up between the DMZ and the LAN > in order to get it to function?**** > > ** ** > > What problem do you hope to solve by moving it? > **** > > *ASB***** > > *http://XeeMe.com/AndrewBaker***** > > *Harnessing the Advantages of Technology for the SMB market…***** > > > > **** > > On Wed, Jan 25, 2012 at 9:13 AM, [email protected] <[email protected]> > wrote:**** > > I have Exchange 2003 sitting here on my local lan. I want to move it to > my Firewall lan and set it in the DMZ lan there.**** > > From the outside interface of the Firewall I just need to NAT/PAT it to > the new DMZ ip address. No change to the SSL Cert because that is to the > outside interface(Correct?)**** > > From the clients that are internal when I change the DNS record they > should point to the internal DMZ address of the server with no client > changes? (Correct?)**** > > Smartphones and tablets that have email coming to them use the outside > interface fo the firewall so they should be fine? (Correct?)**** > > If I have management consoles that send SMTP email internally (VirusScan > type things) or those interfaces that use IP instead of FQDN, they will > have to be manually corrected when the move happens to point to the > internal DMZ address of the server? (Correct?)**** > > **** > > Thanks ahead of time. **** > > Also, what would it take to just build an Exchange 2010 server and just > start migrating users to it instead of moving my 2003 box anyways?**** > > **** > > As always I am humbly asking to not be beaten for my stupidity but given > your wisdom on the subject instead.**** > > Thanks**** > > David**** > > > ** > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
