Thanks for the article, looking forward to the rest of it.
Regarding "In a split DNS, the same domain name is hosted on two different DNS servers containing two different DNS zones. There are usually two zones: an external zone that services external network clients and an internal zone that services internal network clients" and "We will cover only the internal DNS server in this example, as you likely will be using a non-Windows based DNS server for your external zone." Am I correct in thinking the external DNS server would be the one at a business's Internet Service Provider?
Your comments up front about how a secure production environment would use an Edge server on an anonymous DMZ and putting the Client Access Server on an authenticated DMZ will frighten off the smaller 100 user businesses. Is there no hope of configuring a secure remote access scenario using a single 2007 Exchange server and ISA 2006?
Ha! Yes, it seems that the Americans are definitely not as sophisticated as the Europeans are when it comes to network security. The "nightmare scenario" shows how poorly educated most American "security specialists" are. Most of them only know what the "hardware" sales guys tell them! :)
Thanks for the article, looking forward to the rest of it.
Regarding "In a split DNS, the same domain name is hosted on two different DNS servers containing two different DNS zones. There are usually two zones: an external zone that services external network clients and an internal zone that services internal network clients" and "We will cover only the internal DNS server in this example, as you likely will be using a non-Windows based DNS server for your external zone." Am I correct in thinking the external DNS server would be the one at a business's Internet Service Provider?
Your comments up front about how a secure production environment would use an Edge server on an anonymous DMZ and putting the Client Access Server on an authenticated DMZ will frighten off the smaller 100 user businesses. Is there no hope of configuring a secure remote access scenario using a single 2007 Exchange server and ISA 2006?
Thanks, Jeff
Hi Jeff,
While the secure design using authenticated and anonymous access DMZs is preferred method of creating a highly secure configuration, it's all a matter of degree. Having an ISA Firewall in front of the single Exchange 2007 is certianly more secure than a PIX, ASA or Juniper. It's just not the best way to do it, but you do what you can with the amount of money you're willing to spend.
Posts: 20
Joined: 23.Dec.2002
From: Vancouver BC
Status: offline
quote:
ORIGINAL: tshinder
quote:
ORIGINAL: Cashmo ......a secure production environment would use an Edge server on an anonymous DMZ and putting the Client Access Server on an authenticated DMZ .....
I suppose you could combine the Edge server with the Client Access Server in the Authenticated DMZ ? Thus working with two servers instead of three. Would a IIS based SMTP relay be enough in the anonymous DMZ? Or am I not understanding the role of the Edge server?
I suppose you could combine the Edge server with the Client Access Server in the Authenticated DMZ ? Thus working with two servers instead of three. Would a IIS based SMTP relay be enough in the anonymous DMZ? Or am I not understanding the role of the Edge server?
http://www.microsoft.com/exchange/evaluation/features/serverroles.mspx shows the Edge Transport role on it's own in the DMZ (anonymous or authenticated?) and the CAS, Hub transport and Mailboxe roles would be on the second Exchange server behind the ISA box. I'm also not sure what protocols would be used between the Exchange servers.
The Edge Exchange Server should be on an anonymous access DMZ. The reason for this is that no authenticated connections come into the Exchange Edge server.
I'm in the same boat you're in right now. I haven't figured out what the protocols are that are required between the various Exchange Servers for 2007. I'll probably try to figure that out after I get back from Black Hat.
Question: Is it suggested to put the edge server in a true DMZ or is Microsoft recommending it be published via ISA? Answer: Edge Transport server is only supported in a perimeter network. You can use ISA as the firewall server, but do not use ISA's built-in SMTP screening/filtering capabilities.
Question: Does the Edge Transport support TLS, or what type of secure email does it handle? Answer: Secure SMTP (SMTPS) from Edge to Hub Transport. And from Hub to Edge it's using SMTP plus 50389 (LDAP) or 50363 (Secure LDAP) for Edge Sync traffic.
Question: What is the advantage of having an edge server over using just a hub server? Answer: This server role is for perimeter network deployment. It supports Simple Mail Transfer Protocol (SMTP) routing, provides anti-spam filtering technologies and support for antivirus extensibility. The Edge Transport server should be isolated from the Active Directory directory services, but can still leverage Active Directory for recipient filtering by using Active Directory Application Mode (ADAM). EdgeSync in Exchange Server 2007 publishes pertinent organization information, encrypted, to the Edge Transport server for use in robust recipient filtering and respects Microsoft Outlook safe sender lists on the Edge. Communications between the Edge Transport server and the internal network in an Exchange Server 2007 organization are encrypted by default. Edge Transport includes anti-spam technologies that protect at many layers.
Since my companies present Barracuda 200 spam filter does much of what the Edge Transport box would do I think I'm going to forgo the later. Now I'm trying to decide whether it's worth a 2nd Exchange server to hold the Client Access role or not. Am I correct in thinking the Barracuda spam filter should go in a ISA DMZ?
Thanks, Jeff
< Message edited by Cashmo -- 26.Jul.2007 5:12:20 PM >
Yes, the Barracuda should be placed in an anonymous access DMZ. If you decide on deploying a client access server, that should be placed on an authenticated access DMZ. You can do this easily with a single ISA Firewall with four NICs.
It's nice to see that I have, somehow, contributed to this article, since the Exchange Publishing Nightmare Scenario picture was taken from an article I wrote for MSExchange.org. I just want to clarify some points around this scenario:
- I fully agree with Mr. Thomas Shinder that this is not the best topology for ISA Server; - Nevertheless (and I'm in Europe), most of my customers specifically ask for this topology, although I keep trying to convince them otherwise; - ISA is a great firewall, but is also a great reverse proxy. All of my customers where the Nightmare Scenario was the one that was implemented, already had the security components (firewalls) in place. ISA Server was a new addition with the specific purpose of publishing Exchange. Hey, it's a great way of introducing them Microsoft products, so maybe they'll start using it as their edge firewall; - Having said that, I totally disagree that the Nightmare Scenario will increase Cisco or Checkpoint profit.
One thing that being a consultant taught me it's to understand customer needs and not trying to push them my technical solution. My job it's to advise them and to point them the right direction, but if they want to stick with their DMZ with their Checkpoint firewalls, who am I to deny them that?
Fundamentalism is what makes the Linux, Unix, Checkpoint, Cisco (...) guys losing market share. I like to think ourselves, Microsoft guys, as more open-minded and willing to build a solution that really serves customer needs.
Indeed, the Nightmare Scenario graphic was lifted from your article and enhanced for educational purposes.
Allowing your customers to dictate security requirements is not wise. You're the expert and its our responsibility to educate them and provide expert opinion and guidance.
Children think they can play with fireworks and guns -- but as adults we don't let them do that because we know better. In the same way, customers might think that the Nightmare Scenario is a smart way to do things, but they actually end up lowering their overall security posture by implementing the ISA Firewall in that way.
Because of this, as a consultant myself, I refuse to work with customers who do not do the right thing. Why should I become a co-conspirator in their attempt to reduce security?
Sometimes I also wish I could refuse to work with some customers, but unfortunately I can't. I understand and respect your point of view, but as I said, if a customer already has a DMZ using 3rd party firewalls and just wants to publish Exchange, I see no problem in using ISA Server that way. ISA is great for publishing Exchange and is an opportunity to introduce these customers to a fine security product from Microsoft.
I understand your point of view and some businesses don't have the luxury of telling customers "no". I'm fortunate in that way. But one thing I do try to do on www.isaserver.org is point out best practices and make very very clear that the ISA Firewall as designed from the ground up to be a network firewall with Web proxy and VPN capabilities as well. But that the ISA Firewall is primarily a firewall and arguably more secure than anything that Check Point or Cisco has -- and that's the important educational messages that customers must understand.
Hi Tom, Very good article on Exchange 2007 and ISA publishing - I got a lot out of it. One thing I thought was worth mentioning is that there _is_ an SMTP service in Exchange 2007.
Unfortunately, it is called "Microsoft Exchange Transport" (MSExchangeTransport.exe) If you go to your server's command line and do a netstat -ab you will see that MSExchangeTransport.exe is the executable listening on port 25.
(Also note that this is a different service than the EdgeTransport.exe you talk about fiddling with that config in the section about backpressure).
Anyway, the Exchange Transport service is the one responsible for SMTP in Exchange2k7.
I notice that when creating the OWA (NTLM) - "integrated authentication" rule it appears to be the same as the OWA (Basic) except for the /OWA/* in the path section. How does this rule <OWA (NTLM)> rule use NTLM? I look at the walkthrough and there is no option for that rule that I see that uses NTLM. Thanks.
We configured our Exchange 2007 with a single rule and it works without any issues. Thanks.
I noticed the same thing about the OWA (NTLM) rule, shouldn't we change the authentication method to NTLM authentication from the Authentication delegation tab
Note that you cannot select any other option than Basic authentication because the Web Listener is configured to fail back to Basic authentication only. This means that users will always need to log on when connecting using RPC/HTTP. This is the price you have to pay for ISA Firewall security and pre-authentication. If you try to bypass this configuration, you will enable the entire Internet to establish anonymous connections to your RPC/HTTP proxy site on the Client Access Server. That is not something I consider a wise security decision and do not come crying to me when you get nailed with a zero-day exploit against the RPC/HTTP proxy just because your users whined about having to log on to Outlook.
Can't we create an other WebListener with integrated authentification and then we do a standard NTLM delegation to authenticate to the CAS ? So we can do NTLM authentication securely with Outlook, can't we ?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Discussion about article on publishing Exchange 2007 
Discussion about article on publishing Exchange 2007 - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread