(Resent after editing. Hit Send prematurely.) It's a pretty clear preference, in my opinion. First, you shouldn't allow port 80 to Exchange from the Internet, only 443. Second, it should be a whole lot easier to monitor port 443 traffic between your DMZ and your front-end in your Intranet than it will be to monitor UDP ports 53, 88, 389 and TCP ports 53, 80, 88, 123, 135, 389, 445, 691, 3268, and some number of TCP ports 1024 and above, plus TCP ports 110 and 143 if you front-end POP and IMAP, between your front-end servers and any number of various servers in your intranet. But it's your matter of preference.
Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henry, Christopher M. Sent: Thursday, April 29, 2004 6:56 AM To: Exchange Discussions Subject: RE: OWA 2003 - Questions Hmm damnit...guess I am in trouble here. Actually putting a front server on the DMZ is really a matter of preference. For example that is something I am planning on implementing ONLY because my DMZ is also behind a firewall so the only traffic that will be hitting that server will be from port 80. Then again it is recommend to place frontend servers between two firewalls. Then if you really want to make things secure you can run IPSEC between your frontend and backend server -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Thursday, April 29, 2004 1:03 AM To: Exchange Discussions Subject: RE: OWA 2003 - Questions There's a KB article that tells you the whole laundry list of ports you must open between the front-end server and the domain controllers, the other Exchange servers, the DNS server, and so on. If that doesn't scare you, then go ahead and put a front-end server in the DMZ. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 5:57 PM To: Exchange Discussions Subject: RE: OWA 2003 - Questions Thanks for all of the input. But I have to ask, if putting the OWA front-end in the DMZ is a bad idea, what would you recommend instead? Just forwarding ports to the FE server on the local network or other (sorry, I'm a bit of a n00b when it comes to network security.. and by a bit, i mean a lot). Is there any online documentation that details alternatives to putting the FE in DMZ? Thanks again for all of your help, Luke -----Original Message----- That's putting it politely. I think it's a lousy idea. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey FTL Sent: Tuesday, April 27, 2004 6:34 AM To: Exchange Discussions Subject: RE: OWA 2003 - Questions We have recently had a lot of discussions regarding the Exchange front-end placement in a DMZ and I think most people agreed that it would not be the greatest idea. To make an Exchange server a front-end, yes just check the "this server is a front-end" box. Also I used to follow Microsoft's Exchange Hosting whitepapers on FE/BE configuration and created additional HTTP virtual servers on the back-end that would represent the front-end servers. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 26, 2004 7:43 PM To: Exchange Discussions Subject: OWA 2003 - Questions Hi, Just a couple of questions in relation to OWA 2003. We are in the process of migrating a network from exch. 5.5 to 2003. We have an 2003 and 5.5 server running in the same site, AD connector installed, etc.. 1. To setup an OWA2003 server (as a front end only, with no mailbox storage) on the network to put in a DMZ, do we simply install Exchange 2003 with only the OWA components selected, then use the Exchange Admin to set that server as a 'front end server'? (in addition to having the right ports, etc.. setup on the firewall for traffic communication between the OWA and 2003 servers). 2. Since the site contains a 5.5 and 2003 server, will the OWA2003 server be able to provide access to 5.5 mailboxes? The impression I get from reading the web suggests that it wont. If you have any links to specific articles with detail on how this should be setup, they would be great as well.. Thanks, Luke Cassar _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe send a blank email to %%email.unsub%% Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe send a blank email to %%email.unsub%% Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe send a blank email to %%email.unsub%% Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
