This is right on... For OWA - use a proxy (ISA/TMG/etc.). For activesync, get a security product to manage your phones.. (Mobile Iron, Good, Notifylink, etc). There are a number of products. For SMTP - you could put a linux server running sendmail/qmail/postfix in the DMZ. This allows a level of isolation from the front end server, the FE says inside the firewall, while the real communication points are in the DMZ, and the # of holes are greatly reduced. Also, for OWA you can use a product like RSA to secure it one more level. On the other hand, this means three more machines... (virtualization works good here).
________________________________ From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Wednesday, January 25, 2012 12:24 PM To: NT System Admin Issues Subject: RE: Moving Exchange 2003 into a DMZ You answered your auditors. Because you only have to open 25 and 443 to make your way work. Their way you will have all kinds of ports open. And if that box gets owned it is part of your domain and will have all that access to your inside assets. If you want more isolation pop an ISA server(or something similar) in the DMZ, point all the outside connections at that and have that connect to your Exchange server. From: itli...@imcu.com [mailto:itli...@imcu.com] Sent: Wednesday, January 25, 2012 1:48 PM To: NT System Admin Issues Subject: RE: Moving Exchange 2003 into a DMZ NCUA audtiors want to know why we don't have it is our DMZ currently. At one point I knew an answer but today I don't have a clue. I know the user access OWA or activesync throught he outside interface of the Firewall. The Firewall NAT's/PAT's the address to my local Lan. The outside interface has a Cert from GoDaddy. Is that really enough? Only access to port 25 or 443 is allowed through the firewall. From: Andrew S. Baker [mailto:asbz...@gmail.com]<mailto:[mailto:asbz...@gmail.com]> Posted At: Wednesday, January 25, 2012 10:19 AM Posted To: itli...@imcu.com<mailto:itli...@imcu.com> Conversation: Moving Exchange 2003 into a DMZ Subject: Re: Moving Exchange 2003 into a DMZ Why would you do that? How many ports do you intend to connect from the internet to the Exchange box? And how many are you going to have to open up between the DMZ and the LAN in order to get it to function? What problem do you hope to solve by moving it? ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Wed, Jan 25, 2012 at 9:13 AM, itli...@imcu.com<mailto:itli...@imcu.com> <itli...@imcu.com<mailto:itli...@imcu.com>> wrote: I have Exchange 2003 sitting here on my local lan. I want to move it to my Firewall lan and set it in the DMZ lan there. From the outside interface of the Firewall I just need to NAT/PAT it to the new DMZ ip address. No change to the SSL Cert because that is to the outside interface(Correct?) From the clients that are internal when I change the DNS record they should point to the internal DMZ address of the server with no client changes? (Correct?) Smartphones and tablets that have email coming to them use the outside interface fo the firewall so they should be fine? (Correct?) If I have management consoles that send SMTP email internally (VirusScan type things) or those interfaces that use IP instead of FQDN, they will have to be manually corrected when the move happens to point to the internal DMZ address of the server? (Correct?) Thanks ahead of time. Also, what would it take to just build an Exchange 2010 server and just start migrating users to it instead of moving my 2003 box anyways? As always I am humbly asking to not be beaten for my stupidity but given your wisdom on the subject instead. Thanks David ________________________________ For more information about Lewis and Roca LLP, please go to www.lewisandroca.com<http://www.lewisandroca.com/>. Phoenix (602)262-5311 Minden (775)586-9500 Tucson (520)622-2090 Albuquerque (505)764-5400 Las Vegas (702)949-8200 Silicon Valley (650)391-1380 Reno (775)823-2900 This message is intended only for the use of the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail by return E-Mail or by telephone. In accordance with Internal Revenue Service Circular 230, we advise you that if this email contains any tax advice, such tax advice was not intended or written to be used, and it cannot be used, by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin