Exchange behind Firewall or direct?
In the past I have worked with a few different Exchange setups. My first domain had an Exchange server with 2 NICs. One with the static IP from the ISP straight onto the net, however, most setups tend to have just a private IP (in most cases 192.168.x.x) and simply have a port forwarder on the router.
I was just wondering if there are any benefits/downfalls to each method, or any specific reason why you have to have one over the other?
I was just wondering if there are any benefits/downfalls to each method, or any specific reason why you have to have one over the other?
Comments
-
blargoe Member Posts: 4,174 ■■■■■■■■■□Always, always, protect your exchange server, don't connect it directly to the ISP's network. There's always some new security vulnerability being discovered in IIS (though not as much as in years past), and you do not want that directly on the Internet. Really port forwarding isn't enough either, you need a real firewall.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
GAngel Member Posts: 708 ■■■■□□□□□□As he said its a very bad idea to leave a critical system exposed on the net.
-
HeroPsycho Inactive Imported Users Posts: 1,940In the past I have worked with a few different Exchange setups. My first domain had an Exchange server with 2 NICs. One with the static IP from the ISP straight onto the net...
They're idiots...Good luck to all! -
mr2nut Member Posts: 269As he said its a very bad idea to leave a critical system exposed on the net.
I thought as much. However, the system did have an ISA Firewall in place in which rules were in place for the Exchange side of things. Still, I would prefer to keep my Exchange with a private IP and hide at all costs. I was just wondering about this today and thought i'd ask. Cheers -
mr2nut Member Posts: 269HeroPsycho wrote: »They're idiots...
Have a bit of respect. it was an inherited domain and didn't stay that way for long. -
HeroPsycho Inactive Imported Users Posts: 1,940Have a bit of respect. it was an inherited domain and didn't stay that way for long.
I'm referring to whoever deployed it that way and/or defended that configuration, not those who got stuck with a bad design and had to change it. The people responsible for that design don't deserve respect unless they stood up and said, "wow, that was really dumb of us!"Good luck to all! -
mr2nut Member Posts: 269HeroPsycho wrote: »I'm referring to whoever deployed it that way and/or defended that configuration, not those who got stuck with a bad design and had to change it. The people responsible for that design don't deserve respect unless they stood up and said, "wow, that was really dumb of us!"
ok fair does. And yes I agree and thought even at the time when I was new to IT that surely that wasn't a good idea. Also what I thought might be a good idea was not to challenge my IT manager as he had used it like that for a while lol -
HeroPsycho Inactive Imported Users Posts: 1,940ok fair does. And yes I agree and thought even at the time when I was new to IT that surely that wasn't a good idea. Also what I thought might be a good idea was not to challenge my IT manager as he had used it like that for a while lol
Telling your bosses they're idiots is equally idiotic.Good luck to all! -
ccie15672 Member Posts: 92 ■■■□□□□□□□Make a DMZ sandwich.
Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.Derick Winkworth
CCIE #15672 (R&S, SP), JNCIE-M #721
Chasing: CCIE Sec, CCSA (Checkpoint) -
vCole Member Posts: 1,573 ■■■■■■■□□□Make a DMZ sandwich.
Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.
I came here to say this -
dynamik Banned Posts: 12,312 ■■■■■■■■■□FadeToBright wrote: »I came here to say this
Don't cave into peer pressure! Take a three-pronged approach, just to be different! -
HeroPsycho Inactive Imported Users Posts: 1,940Make a DMZ sandwich.
Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.
An Exchange server in a DMZ segment like this, while better, it's not that beneficial as with other apps. You'll end up swiss cheesing your internal firewall so much anyway in a frontend/backend separation design. And your email is critical data anyway, so if it's your sole Exchange server, (no front-end/backend separation), you've already put critical data on a DMZ host, so you're not gaining much there either, but it's technically more secure.
A better way to go is securely publish Exchange via ISA.
You should at least have an edge firewall between Exchange and the net, no matter what.Good luck to all! -
Daniel333 Member Posts: 2,077 ■■■■■■□□□□Go ahead and give this guy a read....
http://www.microsoft.com/downloads/details.aspx?FamilyId=E64666FC-42B7-48A1-AB85-3C8327D77B70&displaylang=en-Daniel -
HeroPsycho Inactive Imported Users Posts: 1,940Just remember, with Exchange 2007, the Client Access Server role, which effectively replaced the "Front End Server" in the E2K/E2K3 world, is not even supported by Microsoft in a DMZ.
http://technet.microsoft.com/en-us/library/bb232184.aspx
Even though they were supported in the E2K/E2K3 world, as I said before, you'll end up swiss cheesing your internal firewall anyway, so there's not much of a point in doing it IMO.
Edge firewall between any Exchange server and the net? Absolutely a must.
Cascading firewalls/DMZ for your front ends? Not much good/not even supported on E2K7 and later, and I probably wouldn't do it at this point even on E2K3. If you want enhanced security to this degree, securely publish your Exchange resources with ISA 2006.Good luck to all! -
LukeQuake Member Posts: 579 ■■■□□□□□□□HeroPsycho wrote: »Just remember, with Exchange 2007, the Client Access Server role, which effectively replaced the "Front End Server" in the E2K/E2K3 world, is not even supported by Microsoft in a DMZ.
Planning for Client Access Servers
Even though they were supported in the E2K/E2K3 world, as I said before, you'll end up swiss cheesing your internal firewall anyway, so there's not much of a point in doing it IMO.
Edge firewall between any Exchange server and the net? Absolutely a must.
Cascading firewalls/DMZ for your front ends? Not much good/not even supported on E2K7 and later, and I probably wouldn't do it at this point even on E2K3. If you want enhanced security to this degree, securely publish your Exchange resources with ISA 2006.
100% agreed! I was going to post something along these lines.