Exchange in DMZ?

garv221

Here is a good article.

http://www.sembee.co.uk/archive/2006/03/10/7.aspx

sprkymrk

Yeah, I agree. Exchange doesn't belong anywhere other than behind the main corporate firewall. His suggestions of using ISA are valid. A better solution IMHO is to use a VPN to an edge device, then let the firewall inspect the traffic to/from the authenticated clients and the Exchange server.

royal

http://www.internetaccessmonitor.com/eng/products/articles/Publishing_OWA_Site_Back_to_Back_ISA_Firewall_Part2/Publishing_OWA_Site_Back_to_Back_ISA_Firewall_Part1.php

sprkymrk

icroyal wrote:

http://www.internetaccessmonitor.com/eng/products/articles/Publishing_OWA_Site_Back_to_Back_ISA_Firewall_Part2/Publishing_OWA_Site_Back_to_Back_ISA_Firewall_Part1.php

Looks good - the Exchange server is not in the DMZ.



Personally I wish we were using an ISA firewall where I work. I really got attached to the 2 I managed for a couple of years back in 2001-2002. ISA 2004 and 2006 are looking like they stomp all over ISA 2000 too.

garv221

I declined the dmz exchange as well. I have a ASA5505 I am currently setting up but debated the exchange on a dmz, it just seems like a huge headache with ACLs.