But you don't have to open those 20 ports to the entire world. You can only specify that the FE should be able to talk to the BE and the DCs. I agree - it is more work to set up and maintain.
Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -----Original Message----- From: Ely, Don [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 9:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Because Microsoft and Security are synonymous, of course! If one chooses to put their FE server in the DMZ, open the bazillion ports required to connect to the BE server and the FE server gets compromised in any way. You have just opened the door to your internal network. Some might say, the same about putting the FE directly on the same LAN as the BE server, but at least you'll go down knowing that you weren't operating under a false sense of security. Putting the FE in a DMZ will only make you feel all warm and fuzzy till the box gets compromised. Putting the FE on your LAN at least makes you more aware that the threat is there and you're only opening 2-3 ports versus about 20. -----Original Message----- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner & White (317) 581-1580 ext 418 -----Original Message----- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -----Original Message----- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -----Original Message----- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to "publish" the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner & White (317) 581-1580 ext 418 -----Original Message----- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -----Original Message----- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a "few others". Those "few" other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner & White (317) 581-1580 ext 418 -----Original Message----- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -----Original Message----- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
