Exchange behind Firewall or direct?

In the past I have worked with a few different Exchange setups. My first domain had an Exchange server with 2 NICs. One with the static IP from the ISP straight onto the net, however, most setups tend to have just a private IP (in most cases 192.168.x.x) and simply have a port forwarder on the router.

I was just wondering if there are any benefits/downfalls to each method, or any specific reason why you have to have one over the other?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

blargoe

Always, always, protect your exchange server, don't connect it directly to the ISP's network. There's always some new security vulnerability being discovered in IIS (though not as much as in years past), and you do not want that directly on the Internet. Really port forwarding isn't enough either, you need a real firewall.

GAngel

As he said its a very bad idea to leave a critical system exposed on the net.

HeroPsycho

mr2nut wrote: »

In the past I have worked with a few different Exchange setups. My first domain had an Exchange server with 2 NICs. One with the static IP from the ISP straight onto the net...

They're idiots...

mr2nut

GAngel wrote: »

As he said its a very bad idea to leave a critical system exposed on the net.

I thought as much. However, the system did have an ISA Firewall in place in which rules were in place for the Exchange side of things. Still, I would prefer to keep my Exchange with a private IP and hide at all costs. I was just wondering about this today and thought i'd ask. Cheers

mr2nut

HeroPsycho wrote: »

They're idiots...

Have a bit of respect. it was an inherited domain and didn't stay that way for long.

HeroPsycho

mr2nut wrote: »

Have a bit of respect. it was an inherited domain and didn't stay that way for long.

I'm referring to whoever deployed it that way and/or defended that configuration, not those who got stuck with a bad design and had to change it. The people responsible for that design don't deserve respect unless they stood up and said, "wow, that was really dumb of us!"

mr2nut

HeroPsycho wrote: »

I'm referring to whoever deployed it that way and/or defended that configuration, not those who got stuck with a bad design and had to change it. The people responsible for that design don't deserve respect unless they stood up and said, "wow, that was really dumb of us!"

ok fair does. And yes I agree and thought even at the time when I was new to IT that surely that wasn't a good idea. Also what I thought might be a good idea was not to challenge my IT manager as he had used it like that for a while

lol

HeroPsycho

mr2nut wrote: »

ok fair does. And yes I agree and thought even at the time when I was new to IT that surely that wasn't a good idea. Also what I thought might be a good idea was not to challenge my IT manager as he had used it like that for a while lol

Telling your bosses they're idiots is equally idiotic.

ccie15672

Make a DMZ sandwich.

Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.

vCole

ccie15672 wrote: »

Make a DMZ sandwich.

Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.

I came here to say this

dynamik

FadeToBright wrote: »

I came here to say this

Don't cave into peer pressure! Take a three-pronged approach, just to be different!

HeroPsycho

ccie15672 wrote: »

Make a DMZ sandwich.

Exchange, web-server, etc in the middle of two firewalls... one attached to the outside one attached to the inside.

An Exchange server in a DMZ segment like this, while better, it's not that beneficial as with other apps. You'll end up swiss cheesing your internal firewall so much anyway in a frontend/backend separation design. And your email is critical data anyway, so if it's your sole Exchange server, (no front-end/backend separation), you've already put critical data on a DMZ host, so you're not gaining much there either, but it's technically more secure.

A better way to go is securely publish Exchange via ISA.

You should at least have an edge firewall between Exchange and the net, no matter what.

Daniel333

Go ahead and give this guy a read....

http://www.microsoft.com/downloads/details.aspx?FamilyId=E64666FC-42B7-48A1-AB85-3C8327D77B70&displaylang=en

HeroPsycho

Just remember, with Exchange 2007, the Client Access Server role, which effectively replaced the "Front End Server" in the E2K/E2K3 world, is not even supported by Microsoft in a DMZ.

http://technet.microsoft.com/en-us/library/bb232184.aspx

Even though they were supported in the E2K/E2K3 world, as I said before, you'll end up swiss cheesing your internal firewall anyway, so there's not much of a point in doing it IMO.

Edge firewall between any Exchange server and the net? Absolutely a must.

Cascading firewalls/DMZ for your front ends? Not much good/not even supported on E2K7 and later, and I probably wouldn't do it at this point even on E2K3. If you want enhanced security to this degree, securely publish your Exchange resources with ISA 2006.

LukeQuake

HeroPsycho wrote: »

Just remember, with Exchange 2007, the Client Access Server role, which effectively replaced the "Front End Server" in the E2K/E2K3 world, is not even supported by Microsoft in a DMZ.

Planning for Client Access Servers

Even though they were supported in the E2K/E2K3 world, as I said before, you'll end up swiss cheesing your internal firewall anyway, so there's not much of a point in doing it IMO.

Edge firewall between any Exchange server and the net? Absolutely a must.

Cascading firewalls/DMZ for your front ends? Not much good/not even supported on E2K7 and later, and I probably wouldn't do it at this point even on E2K3. If you want enhanced security to this degree, securely publish your Exchange resources with ISA 2006.

100% agreed! I was going to post something along these lines.