-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 15 May 2002 07:25:11 -0500, Hunt, Jim wrote:
>Outside access is needed to the mail system to send and receive e-mail. >Outlook Web Access (OWA) is also needed to provide users internally and >externally access to their e-mail. > Try to get along without OWA. It relies on the notoriously insecure IIS and even Microsoft warns you against running it unsecured. Better use Outlook on the Clientside with strong Encryption. >What is the best scenario to install the system? >1.) Place the unit internally (LAN) with one internal IP and do NAT at the >firewall for both the SMTP gateway and OWA. Would (should) I use 1 IP >external (Internet) IP for the SMTP Gateway and another IP for OWA? If you enable external access to a server in the internal network, your security is bust. If the machine gets compromised, your whole network is at stake. > >2.) The unit could be internal (LAN) with 2 NICs; one NIC to the LAN and one >NIC to the DMZ for Internet access. IP routing would not be enabled. > same as above. a (pot. malicious) program running on your server can access both networks (and thus, compromise them) >3.) There is a web server in the DMZ. A 2 Microsoft Exchange Server set up >could be done using the web serer in the DMZ as the SMTP gateway and the OWA >Server. (There isn't money ($$$) for a dedicated server in the DMZ for >Microsoft Exchange and a Microsoft Exchange inside the LAN too.) (Again, IP >routing would not be enabled on the web server. We would need to address >the access back to the LAN using it as well.) put Exchange in the DMZ. Configure your Firewall as to allow SMTP incoming/outgoing to the Exchange server and nowhere else. Then allow (secure) POP/IMAP from the internal net to your exchange server and nowhere else. Install (if you have to) OWA on the Web Server and allow it to access Exchange. If there is money, i like to use the firewall as gateway for any traffic within the DMZ. That way the machines in the DMZ can be firewalled individually (as opposed to simply putting them on a switch) > >These seem like the best 3 options. What is everyone's thought? Please >only provide productive answers and don't bash Microsoft Exchange or suggest >another product. It just isn't possible. (Been there, done that, and lost >the fight so now I have to move on and implement.) 1 more option: secure ms products by using a decent linux/bsd proxy. recently i stumbled upon "mimedefang". this can ensure some av / quarantine capabilities and decent protocol enforcement. a machine running squid in transparent mode and sendmail can be quite simple. Stefan Osterlitz PGP Public Key Fingerprint: 8A9C BC27 6D98 E447 09E8 F78B 7527 21C6 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBPOSnvnUnIcbqP8k9EQJIJACdFaAzZURRBs72tDhUeIE08ck1S+sAn1QB U6Za1e9WJJjXo3Wm/6qx7FaW =zTug -----END PGP SIGNATURE-----
