DMZ stands for De-Militarized Zone. Putting a front-end server, what with all the dangerous ports you have to open, in the DMZ is tantamount to militarizing it. A web publishing appliance or ISA server in the DMZ is the proper device to put in the DMZ because it's designed to be in a DMZ.
If you put your <insert Exchange front-end server here> in your DMZ and it's compromised, a much more likely possibility in a DMZ, then you're just about equally screwed. As to the VMware argument, you're arguing apples and oranges. In fact, Exchange on VMware is supported up to the point where it is suspected that the virtualization is part of the problem. You're welcome to read Microsoft's statement. I've been to the DMZ. I've looked into it from above, I've walked into a tunnel under it. And there were no Exchange front-end servers in it. Ed Crowley MCITP MCSE+I MCSE+M MCTS MVP "There are seldom good technological solutions to behavioral problems." -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Cunningham Sent: Thursday, May 01, 2008 7:27 PM To: Exchange Discussions Subject: RE: Exchange 2007 questions Hi Simon, Firstly, I don't really care if it is a CAS, frontend or OWA. What I do care about is people that dis a DMZ option with a preconceived idea of what a DMZ is. A DMZ can be many things. You propose that a DMZ is a place for sacrificial devices, that is not necessarily so. You blog is all based on a traditional DMZ premise, which is where it is lacking in concept. E.g. some organizations use internal DMZs to protect themselves from the internal masses. Secondly, look at how I said it was in a DMZ, it is the only server in that DMZ. So no cross pollenisation between infected DMZ servers is possible (ie. The web and mail servers in the same DMZ) unless the rules allow it. If I said it was best practice to run the CAS internally and put a firewall on the server and lock the ports down, you would probably say that was a good idea? Well my proposal of a DMZ is exactly that, believe it or not.... but a hell of a lot easier to manage. Thirdly, I'll repeat what I said, but generalize it. If you leave your <insert your internet facing server here> internal and it is compromised, whatever compromised it has all 64k network ports to probe your network and look for vulnerabilities. If your <insert your internet facing server here> is in its own DMZ and it is compromised then whatever has compromised it only has access to the ports the firewall has allowed the <insert your internet facing server here> to. So as an example you run your CAS server in the DMZ a Trojan compromises the server via an HTTPS vulnerability and is multi facetted and is able to scan for SQL server, network share, HTPP/HTTPs vlunerabilites and Cisco and Nortel DOS just for fun. In the DMZ none of these scans will be successful (apart from the Nortel switch you are using for your DMZ ;-) ). With the CAS on the internal network, these scans are likely to succeed, depending on the patch level of your network devices. As to whether MS supports it or not is just another risk to assess. As an example there are tens of thousands of people that run MS software on VMWare, which is not supported by MS. At the end of the day it comes down to each persons perceived level of risk/benefit and how they wish to address that. I am not recommending one way or the other what I am recommending is both options are considered and both eyes are open. HTH Dean -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Butler Sent: Thursday, 1 May 2008 20:13 To: Exchange Discussions Subject: RE: Exchange 2007 questions CAS in the DMZ isn't supported. The only role that is supported in a DMZ is Edge. If you want something in a protected network for http traffic then ISA or similar product is your only choice. While a frontend server was tolerated (despite it making no difference to the security of the network) Microsoft have decided that they will not support that type of configuration in the future. I would have to disagree with you Dean that CAS would be better in the DMZ. If the machine is compromised it doesn't help because you have to open access to the domain controllers, so all an attacker has to do is follow the traffic. I blogged on why Exchange in a DMZ is a bad idea two years ago: http://www.sembee.co.uk/archive/2006/02/23/7.aspx and still to date no one has given me a sound reason why putting any Exchange server in a DMZ is a good idea (except for Edge which is designed to). Simon. -- Simon Butler MVP: Exchange, MCSE Amset IT Solutions Ltd. e: [EMAIL PROTECTED] w: www.amset.co.uk w: www.amset.info ********************************************************************** Have you clicked on yet? www.nrc.govt.nz ********************************************************************** NORTHLAND REGIONAL COUNCIL This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify [EMAIL PROTECTED] ********************************************************************** _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
