You've got a fundamentally different view of DMZ's than many security professionals have. DMZs are fundamentally UNTRUSTED networks. Since its untrusted, you need to consider what data you are exposing to it. In this case, you're providing full access to Active Directory, and all it contains, to an untrusted network.
For the same reason, I don't like third leg DMZs - you really should run your DMZ between two different firewalls. I know of one large, West Cost company that runs their DMZ between two different BRANDS of firewalls (Cisco PIX on one side and CheckPoint on the other). Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Henry, Christopher M. [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 29, 2004 9:56 AM > To: Exchange Discussions > Subject: RE: OWA 2003 - Questions > > Hmm damnit...guess I am in trouble here. Actually putting a > front server > on the DMZ is really a matter of preference. For example that is > something I am planning on implementing ONLY because my DMZ is also > behind a firewall so the only traffic that will be hitting that server > will be from port 80. Then again it is recommend to place frontend > servers between two firewalls. Then if you really want to make things > secure you can run IPSEC between your frontend and backend server > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ed > Crowley [MVP] > Sent: Thursday, April 29, 2004 1:03 AM > To: Exchange Discussions > Subject: RE: OWA 2003 - Questions > > There's a KB article that tells you the whole laundry list of > ports you > must open between the front-end server and the domain controllers, the > other Exchange servers, the DNS server, and so on. If that doesn't > scare you, then go ahead and put a front-end server in the DMZ. > > Ed Crowley MCSE+Internet MVP > Freelance E-Mail Philosopher > Protecting the world from PSTs and Bricked Backups!T > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, April 28, 2004 5:57 PM > To: Exchange Discussions > Subject: RE: OWA 2003 - Questions > > Thanks for all of the input. > But I have to ask, if putting the OWA front-end in the DMZ is a bad > idea, what would you recommend instead? Just forwarding ports > to the FE > server on the local network or other (sorry, I'm a bit of a > n00b when it > comes to network security.. and by a bit, i mean a lot). > > Is there any online documentation that details alternatives to putting > the FE in DMZ? > > Thanks again for all of your help, > > Luke > > > -----Original Message----- > > That's putting it politely. I think it's a lousy idea. > > Ed Crowley MCSE+Internet MVP > Freelance E-Mail Philosopher > Protecting the world from PSTs and Bricked Backups!T > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Fyodorov, Andrey FTL > Sent: Tuesday, April 27, 2004 6:34 AM > To: Exchange Discussions > Subject: RE: OWA 2003 - Questions > > We have recently had a lot of discussions regarding the Exchange > front-end placement in a DMZ and I think most people agreed that it > would not be the greatest idea. > > To make an Exchange server a front-end, yes just check the > "this server > is a front-end" box. Also I used to follow Microsoft's > Exchange Hosting > whitepapers on FE/BE configuration and created additional HTTP virtual > servers on the back-end that would represent the front-end servers. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, April 26, 2004 7:43 PM > To: Exchange Discussions > Subject: OWA 2003 - Questions > > > Hi, > Just a couple of questions in relation to OWA 2003. > > We are in the process of migrating a network from exch. 5.5 > to 2003. We > have an 2003 and 5.5 server running in the same site, AD connector > installed, etc.. > > 1. To setup an OWA2003 server (as a front end only, with no mailbox > storage) on the network to put in a DMZ, do we simply install Exchange > 2003 > with only the OWA components selected, then use the Exchange Admin to > set that server as a 'front end server'? (in addition to having the > right ports, etc.. setup on the firewall for traffic communication > between the OWA and > 2003 servers). > > 2. Since the site contains a 5.5 and 2003 server, will the OWA2003 > server be able to provide access to 5.5 mailboxes? The > impression I get > from reading the web suggests that it wont. > > If you have any links to specific articles with detail on how this > should be setup, they would be great as well.. > > Thanks, > Luke Cassar > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang > =english > To unsubscribe send a blank email to > %%email.unsub%% > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang=english > To unsubscribe send a blank email to > %%email.unsub%% > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=&lang=english > To unsubscribe send a blank email to > %%email.unsub%% > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
