Thanks for this. I had just found your blog entry in the list archives mere moments ago, after more searching. I'll take this in hand to the meetings we're having, and push back on it.
Kurt On Sun, Nov 8, 2009 at 10:24, Simon Butler <si...@sembee.co.uk> wrote: > That consultant needs to be asked how putting a frontend server improved the > security of your network. > When you get the answer, please post back, because no one has given me a good > reason why. I ask everyone the same question when they ask how to do it, and > no one can answer it. > > I can give you plenty of reasons why it is a bad idea though. > > http://blog.sembee.co.uk/archive/2006/02/23/7.aspx > > If a consultant made that recommendation to me, I would be showing them the > door. It does nothing to improve the security of the network. > > Now if they are proposing an ISA server, that is a different matter > altogether, as that will improve the security and I have many clients, > particularly in financial services who are using that combination. ISA is > designed to go in a DMZ - Exchange is not. > > I shall await someone to post the instructions from Microsoft about how to > configure Exchange to go in to a DMZ, as that is usually what happens when > this question is posted and I answer in this way. > The simple response, is that while MS may provide the instructions, it > doesn't mean it is a good idea. They produced the instructions due to > customer demand, almost certainly from the sort of people who believe, or > were told, that putting Exchange in to the DMZ somehow makes it more secure. > > It should be noted that with Exchange 2007, only Edge is supported in a DMZ, > no other role is. Microsoft removed the uncertainty on purpose. > > Simon. > > > > -- > Simon Butler > MVP: Exchange, MCSE > Sembee Ltd. > > e: si...@sembee.co.uk > w: http://www.sembee.co.uk/ > w: http://www.amset.info/ > w: http://blog.sembee.co.uk/ > > Need cheap certificates for Exchange, compatible with Windows Mobile 5.0? > http://CertificatesForExchange.com/ for certificates from just $23.99. > Need a domain for your certificate? http://DomainsForExchange.net/ > > > > > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: 08 November 2009 17:42 > To: MS-Exchange Admin Issues > Subject: E2k3 Security Question > > All, > > We've got a consultant in-house doing an infrastructure review. One of > the things he's recommending for security reasons is that instead of > doing SSL direct to our single Exchange servers on our production > LANs, we should put front-end servers into our DMZ. > > I tend to believe that direct SSL (for OWA or RPC/HTTPS) is no less > secure than a front-end in a DMZ, but I do confess ignorance, and > would like to know more, and have ammunition one way or the other > before getting bent out of shape. > > Where can I find some documents regarding the relative security of > these two approaches, and evaluate this for myself before agreeing or > disagreeing with him on this? > > I've been cruising the history of this list, and doing some googling, > but can't see a direct discussion of this topic. > > Thanks, > > Kurt > >
