Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DMZ Design

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ Design Page: [1]
Login
Message << Older Topic   Newer Topic >>
DMZ Design - 11.Apr.2006 3:48:45 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		I am planning to put exchange and web server on DMZ network. Question is what ip address do I use? Righ now its inside the internal network and it's using internal ip address which is routable on internet. 1:1 static route is setup on cisco router and checkpoint firewall.

Need help on this for both web and exchange server
Post #: 1
RE: DMZ Design - 13.Apr.2006 6:09:45 PM   
jchiver

 

Posts: 25
Joined: 7.Oct.2005
Status: offline 		Question why do you want to put your exchange server in the DMZ???

please explain what it is you are trying to accomplish.

Jeremy

(in reply to bhavin78)
Post #: 2
RE: DMZ Design - 13.Apr.2006 6:13:15 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		I am very new to this and so far what I have read and research it says that it's good to put any server which is accessed directly from internet or need direct internet connection in DMZ. I might be wrong , help me out to make better understanding of DMZ and option for my exchange server and webserver.

(in reply to jchiver)
Post #: 3
RE: DMZ Design - 13.Apr.2006 6:20:19 PM   
jchiver

 

Posts: 25
Joined: 7.Oct.2005
Status: offline 		you are correct in what you have read.

Servers such as Web servers and FTP servers should be kept in the DMZ but exchange is different.

because exchange is heavily intergrated with your domain having this in your DMZ would open up big holes in your domains security.

If you are looking at using an ISA server then you can only allow port 25 traffic to it which will mean it can recieve email from the internet and port 443 so you can enable outlook web access for your users.

There are loads of guides on this Site many written by a chap called Tom Shnider who you will see alot on these forums.

(in reply to bhavin78)
Post #: 4
RE: DMZ Design - 13.Apr.2006 6:27:33 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		so how will AD talk with exchange if I put it in DMZ?

What's the best practise and how?


what about webserver, which will be accessed by internet and internal user?

(in reply to jchiver)
Post #: 5
RE: DMZ Design - 13.Apr.2006 6:30:41 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		why will Exchange be secure in internal network when compare to DMZ?

(in reply to bhavin78)
Post #: 6
RE: DMZ Design - 13.Apr.2006 7:32:33 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		I read few articles and they talk about Front-End/Back End exchange server. IN my case I only have one server for a small company with 100 users. Can I get some help on this and my very first question.

Thanks

(in reply to bhavin78)
Post #: 7
RE: DMZ Design - 13.Apr.2006 7:48:32 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

For the best and most secure design for a FE/BE Exchange Deployment, check out:

http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part1.html

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to bhavin78)
Post #: 8
RE: DMZ Design - 13.Apr.2006 7:52:37 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		I read that article before but, I am confused as I am not going with FE/BE server. I just have one exchange server for a very small company with 100 users and they cannot afford to buy extra license for exchange server.

so please help me out other way.

(in reply to tshinder)
Post #: 9
RE: DMZ Design - 22.May2006 6:31:31 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		Tom,
I will appreciate if you can help me figure out the question I have on DMZ?

I  want to install Exchange securely  but dont want to spend extra money using FE Exchange server in DMZ as it's a 100 user company with two location. In this case can I cannot put exchange on DMZ as it's intergrated with AD and it needs to talk with AD and which opens security hole, what are my other options which are secure?
Same question on DMZ with other servers (Terminal server, WebServer etc whey they go DMZ or Internal network).
They will be accessed from out side but somehow they need to talk with AD for authentication and data stored on SQL Server and File Server. So, some how there needs to be a connection with internal server from DMZ. If this is the case than you cannot put any server on DMZ which are member of Domain.

I am very confused as I am very new to security so, please help me out.

(in reply to bhavin78)
Post #: 10
RE: DMZ Design - 22.May2006 8:44:50 PM   
elmajdal

 

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		 check my answer in ur other thread:

http://forums.isaserver.org/Confused_with_DMZ/m_2002017224/tm.htm


_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to bhavin78)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ Design Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts