With Exchange 2010, a Front End server doesn't really exist anymore. Exchange 2007 or 2010 doesn't support any role, but edge, in a DMZ. The MS recommended configuration is to have an ISA server in the DMZ for OWA, POP3, and IMAP, and an Edge server or SMTP appliance for SMTP. In the past, smaller configurations, without DMZ's, I have open the port and created the static mapping and called it good, preferably having an IPS in the mix. I personally don't believe a DMZ should have any access to the internal LAN. I have put exchange 2010 in a DMZ scenario. Expect to open 20+ TCP and UDP ports to the internal LAN as the Exchange server roles, except edge, must be a member of the domain and have RPC communication. With that many ports open to the DMZ... what's the point. If your front end server gets compromised, everything important is opened to the internal LAN from the DMZ anyways. I prefer to have as few ports open in the firewall as possible, period. I would run it all from 1 server, open the ports from the internet to the Exchange server. Many people may not agree with me, but I have never had a problem with that configuration and never had a server compromised (20+ exchange servers I have done this for in the past, exchange 2000- 2010). As long as POP3, IMAP, and password policies are good and secured, there shouldn't be a problem.
Andy Andrew Ekhoff Technology Coordinator St. Anne Public Schools aekh...@sags.k12.il.us<mailto:aekh...@sags.k12.il.us> SAGS: (815) 427-8153 SACHS: (815) 427-8141 From: tech-geeks-boun...@tech-geeks.org [mailto:tech-geeks-boun...@tech-geeks.org] On Behalf Of Heath Henderson Sent: Wednesday, October 06, 2010 10:11 AM To: tech-geeks@tech-geeks.org Subject: [tech-geeks] Exchange 2010 server design question I am ready to build a new Exchange 2010 server on a network which currently has never run one. A question which has come up that I am not entirely sure what direction to follow is as follows. Ideally, I would build the Exchange server on the Local network and create a Front End server in the DMZ with OWA, SMTP, POP3, IMAP etc access. But this system isn't not that big. I am looking at probably no more than 150 accounts in the life of the system. I would probably build a VM to run the Front End anyway, but it just seems like overkill on a system that size. I can point all of the internal clients to the Exchange box directly and allow mobile sync and OWA access via the Front End server but now we are looking at limited usage and probably bring it to a daily client activity level of about 50 accounts (on the Front End server) with the other 100 accounts being clients inside the network accessing only the Exchange server directly. Does standard practice dictate setup the ideal way? Or is it permissable to create firewall port forward rules to route the connections from outside the network to inside the network? Realy, overkill is not needed and the less setup that is required, the easier it is to maintain the systems. The safety of the system is the only thing which needs to be a design concern. -Heath
| Subscription info at http://www.tech-geeks.org |
