That is how I was looking at it also. Just needed to make sure I was on the right page! Thanks.
-Heath Henderson On Oct 6, 2010, at 10:56 AM, "Ekhoff, Andrew" <aekh...@sags.k12.il.us> wrote: > With Exchange 2010, a Front End server doesn’t really exist anymore. > Exchange 2007 or 2010 doesn’t support any role, but edge, in a DMZ. The MS > recommended configuration is to have an ISA server in the DMZ for OWA, POP3, > and IMAP, and an Edge server or SMTP appliance for SMTP. In the past, > smaller configurations, without DMZ’s, I have open the port and created the > static mapping and called it good, preferably having an IPS in the mix. I > personally don’t believe a DMZ should have any access to the internal LAN. I > have put exchange 2010 in a DMZ scenario. Expect to open 20+ TCP and UDP > ports to the internal LAN as the Exchange server roles, except edge, must be > a member of the domain and have RPC communication. With that many ports open > to the DMZ… what’s the point. If your front end server gets compromised, > everything important is opened to the internal LAN from the DMZ anyways. I > prefer to have as few ports open in the firewall as possible, period. I > would run it all from 1 server, open the ports from the internet to the > Exchange server. Many people may not agree with me, but I have never had a > problem with that configuration and never had a server compromised (20+ > exchange servers I have done this for in the past, exchange 2000- 2010). As > long as POP3, IMAP, and password policies are good and secured, there > shouldn’t be a problem. > > > > Andy > > > > Andrew Ekhoff > > Technology Coordinator > > St. Anne Public Schools > > aekh...@sags.k12.il.us > > SAGS: (815) 427-8153 > > SACHS: (815) 427-8141 > > > > From: tech-geeks-boun...@tech-geeks.org > [mailto:tech-geeks-boun...@tech-geeks.org] On Behalf Of Heath Henderson > Sent: Wednesday, October 06, 2010 10:11 AM > To: tech-geeks@tech-geeks.org > Subject: [tech-geeks] Exchange 2010 server design question > > > > I am ready to build a new Exchange 2010 server on a network which currently > has never run one. A question which has come up that I am not entirely sure > what direction to follow is as follows. > > > > Ideally, I would build the Exchange server on the Local network and create a > Front End server in the DMZ with OWA, SMTP, POP3, IMAP etc access. But this > system isn't not that big. I am looking at probably no more than 150 > accounts in the life of the system. I would probably build a VM to run the > Front End anyway, but it just seems like overkill on a system that size. > > > > I can point all of the internal clients to the Exchange box directly and > allow mobile sync and OWA access via the Front End server but now we are > looking at limited usage and probably bring it to a daily client activity > level of about 50 accounts (on the Front End server) with the other 100 > accounts being clients inside the network accessing only the Exchange server > directly. > > > > Does standard practice dictate setup the ideal way? Or is it permissable to > create firewall port forward rules to route the connections from outside the > network to inside the network? Realy, overkill is not needed and the less > setup that is required, the easier it is to maintain the systems. The safety > of the system is the only thing which needs to be a design concern. > > > > -Heath > > | Subscription info at http://www.tech-geeks.org |
| Subscription info at http://www.tech-geeks.org |
