Exchange behind Firewall or direct?

mr2nutmr2nut Member Posts: 269
In the past I have worked with a few different Exchange setups. My first domain had an Exchange server with 2 NICs. One with the static IP from the ISP straight onto the net, however, most setups tend to have just a private IP (in most cases 192.168.x.x) and simply have a port forwarder on the router.

I was just wondering if there are any benefits/downfalls to each method, or any specific reason why you have to have one over the other?

Comments

  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Always, always, protect your exchange server, don't connect it directly to the ISP's network. There's always some new security vulnerability being discovered in IIS (though not as much as in years past), and you do not want that directly on the Internet. Really port forwarding isn't enough either, you need a real firewall.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • GAngelGAngel Member Posts: 708 ■■■■□□□□□□
    As he said its a very bad idea to leave a critical system exposed on the net.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    mr2nut wrote: »
    In the past I have worked with a few different Exchange setups. My first domain had an Exchange server with 2 NICs. One with the static IP from the ISP straight onto the net...

    They're idiots...
    Good luck to all!
  • mr2nutmr2nut Member Posts: 269
    GAngel wrote: »
    As he said its a very bad idea to leave a critical system exposed on the net.

    I thought as much. However, the system did have an ISA Firewall in place in which rules were in place for the Exchange side of things. Still, I would prefer to keep my Exchange with a private IP and hide at all costs. I was just wondering about this today and thought i'd ask. Cheers icon_smile.gif
  • mr2nutmr2nut Member Posts: 269
    HeroPsycho wrote: »
    They're idiots...

    Have a bit of respect. it was an inherited domain and didn't stay that way for long.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    mr2nut wrote: »
    Have a bit of respect. it was an inherited domain and didn't stay that way for long.

    I'm referring to whoever deployed it that way and/or defended that configuration, not those who got stuck with a bad design and had to change it. The people responsible for that design don't deserve respect unless they stood up and said, "wow, that was really dumb of us!"
    Good luck to all!
  • mr2nutmr2nut Member Posts: 269
    HeroPsycho wrote: »
    I'm referring to whoever deployed it that way and/or defended that configuration, not those who got stuck with a bad design and had to change it. The people responsible for that design don't deserve respect unless they stood up and said, "wow, that was really dumb of us!"

    ok fair does. And yes I agree and thought even at the time when I was new to IT that surely that wasn't a good idea. Also what I thought might be a good idea was not to challenge my IT manager as he had used it like that for a while icon_smile.gif lol
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    mr2nut wrote: »
    ok fair does. And yes I agree and thought even at the time when I was new to IT that surely that wasn't a good idea. Also what I thought might be a good idea was not to challenge my IT manager as he had used it like that for a while icon_smile.gif lol

    Telling your bosses they're idiots is equally idiotic. :D
    Good luck to all!
  • ccie15672ccie15672 Member Posts: 92 ■■■□□□□□□□
    Make a DMZ sandwich.

    Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.
    Derick Winkworth
    CCIE #15672 (R&S, SP), JNCIE-M #721
    Chasing: CCIE Sec, CCSA (Checkpoint)
  • vColevCole Member Posts: 1,573 ■■■■■■■□□□
    ccie15672 wrote: »
    Make a DMZ sandwich.

    Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.


    I came here to say this icon_lol.gif
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I came here to say this icon_lol.gif

    Don't cave into peer pressure! Take a three-pronged approach, just to be different!
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    ccie15672 wrote: »
    Make a DMZ sandwich.

    Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.

    An Exchange server in a DMZ segment like this, while better, it's not that beneficial as with other apps. You'll end up swiss cheesing your internal firewall so much anyway in a frontend/backend separation design. And your email is critical data anyway, so if it's your sole Exchange server, (no front-end/backend separation), you've already put critical data on a DMZ host, so you're not gaining much there either, but it's technically more secure.

    A better way to go is securely publish Exchange via ISA.

    You should at least have an edge firewall between Exchange and the net, no matter what.
    Good luck to all!
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    Just remember, with Exchange 2007, the Client Access Server role, which effectively replaced the "Front End Server" in the E2K/E2K3 world, is not even supported by Microsoft in a DMZ.

    http://technet.microsoft.com/en-us/library/bb232184.aspx

    Even though they were supported in the E2K/E2K3 world, as I said before, you'll end up swiss cheesing your internal firewall anyway, so there's not much of a point in doing it IMO.

    Edge firewall between any Exchange server and the net? Absolutely a must.

    Cascading firewalls/DMZ for your front ends? Not much good/not even supported on E2K7 and later, and I probably wouldn't do it at this point even on E2K3. If you want enhanced security to this degree, securely publish your Exchange resources with ISA 2006.
    Good luck to all!
  • LukeQuakeLukeQuake Member Posts: 579 ■■■□□□□□□□
    HeroPsycho wrote: »
    Just remember, with Exchange 2007, the Client Access Server role, which effectively replaced the "Front End Server" in the E2K/E2K3 world, is not even supported by Microsoft in a DMZ.

    Planning for Client Access Servers

    Even though they were supported in the E2K/E2K3 world, as I said before, you'll end up swiss cheesing your internal firewall anyway, so there's not much of a point in doing it IMO.

    Edge firewall between any Exchange server and the net? Absolutely a must.

    Cascading firewalls/DMZ for your front ends? Not much good/not even supported on E2K7 and later, and I probably wouldn't do it at this point even on E2K3. If you want enhanced security to this degree, securely publish your Exchange resources with ISA 2006.

    100% agreed! I was going to post something along these lines.
Sign In or Register to comment.