That consultant needs to be asked how putting a frontend server improved the security of your network. When you get the answer, please post back, because no one has given me a good reason why. I ask everyone the same question when they ask how to do it, and no one can answer it.
I can give you plenty of reasons why it is a bad idea though. http://blog.sembee.co.uk/archive/2006/02/23/7.aspx If a consultant made that recommendation to me, I would be showing them the door. It does nothing to improve the security of the network. Now if they are proposing an ISA server, that is a different matter altogether, as that will improve the security and I have many clients, particularly in financial services who are using that combination. ISA is designed to go in a DMZ - Exchange is not. I shall await someone to post the instructions from Microsoft about how to configure Exchange to go in to a DMZ, as that is usually what happens when this question is posted and I answer in this way. The simple response, is that while MS may provide the instructions, it doesn't mean it is a good idea. They produced the instructions due to customer demand, almost certainly from the sort of people who believe, or were told, that putting Exchange in to the DMZ somehow makes it more secure. It should be noted that with Exchange 2007, only Edge is supported in a DMZ, no other role is. Microsoft removed the uncertainty on purpose. Simon. -- Simon Butler MVP: Exchange, MCSE Sembee Ltd. e: si...@sembee.co.uk w: http://www.sembee.co.uk/ w: http://www.amset.info/ w: http://blog.sembee.co.uk/ Need cheap certificates for Exchange, compatible with Windows Mobile 5.0? http://CertificatesForExchange.com/ for certificates from just $23.99. Need a domain for your certificate? http://DomainsForExchange.net/ -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: 08 November 2009 17:42 To: MS-Exchange Admin Issues Subject: E2k3 Security Question All, We've got a consultant in-house doing an infrastructure review. One of the things he's recommending for security reasons is that instead of doing SSL direct to our single Exchange servers on our production LANs, we should put front-end servers into our DMZ. I tend to believe that direct SSL (for OWA or RPC/HTTPS) is no less secure than a front-end in a DMZ, but I do confess ignorance, and would like to know more, and have ammunition one way or the other before getting bent out of shape. Where can I find some documents regarding the relative security of these two approaches, and evaluate this for myself before agreeing or disagreeing with him on this? I've been cruising the history of this list, and doing some googling, but can't see a direct discussion of this topic. Thanks, Kurt
