Hello,
We are a single server network with Exchange server running on the same box.
Is it a recless move to place this server inside the network rather than the
DMZ?
Thanks for your input.
John
John Smith
> We are a single server network with Exchange server running on the
> same box. Is it a recless move to place this server inside the network
> rather than the DMZ?
Yes.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
On Sep 10, 11:45 am, Ansgar -59cobalt- Wiechers
> John Smith
> > We are a single server network with Exchange server running on the
> > same box. Is it a recless move to place this server inside the network
> > rather than the DMZ?
>
> Yes.
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich
To add to that.. You need a domain controller in order to run exchange
so you have done one of 2 things either you are running SBS and you
have installed exchange on it or you are running 2003 server which you
have promoted to a domain controller and you installed exchange on it.
Either way installing exchange on domain controller is not a
recommended configuration according to microsoft.
Check out this link it has several other links as to why Microsoft
says it is a no no.
http://blogs.brnets.com/michael/archive/2005/01/24/319.aspx
Never put a domain controller or a exchange server directly on public
name space without using NAT and access lists to control what ports
will be allowed open unless the Exchange server is a Front end
relaying info to a backend cluster. Even then it is recommended to
have a router with some kind of access list to protect it with.
Actually this is a brand new network. There will be only one server for
some time. This server will be the DC as well as have the Exchange Server
2007 running on it. So, that is why I am not sure where I should put in the
network or the DMZ.
Can I put this on the DMZ and install a second NIC, one NIC connected to the
DMZ and the other to the private network?
Thanks,
John
So I am not sure whether I should put this server (the only server)
"Newbie72"
news:1189513742.238672.120080@57g2000hsv.googlegroups.com...
> On Sep 10, 11:45 am, Ansgar -59cobalt- Wiechers
>
>> John Smith
>> > We are a single server network with Exchange server running on the
>> > same box. Is it a recless move to place this server inside the network
>> > rather than the DMZ?
>>
>> Yes.
>>
>> cu
>> 59cobalt
>> --
>> "If a software developer ever believes a rootkit is a necessary part of
>> their architecture they should go back and re-architect their solution."
>> --Mark Russinovich
>
> To add to that.. You need a domain controller in order to run exchange
> so you have done one of 2 things either you are running SBS and you
> have installed exchange on it or you are running 2003 server which you
> have promoted to a domain controller and you installed exchange on it.
> Either way installing exchange on domain controller is not a
> recommended configuration according to microsoft.
>
> Check out this link it has several other links as to why Microsoft
> says it is a no no.
>
> http://blogs.brnets.com/michael/archive/2005/01/24/319.aspx
>
> Never put a domain controller or a exchange server directly on public
> name space without using NAT and access lists to control what ports
> will be allowed open unless the Exchange server is a Front end
> relaying info to a backend cluster. Even then it is recommended to
> have a router with some kind of access list to protect it with.
>
In article <46e70735$0$10296$815e3792@news.qwest.net>,
jsmith@nospamplease.com says...
>
> Actually this is a brand new network. There will be only one server for
> some time. This server will be the DC as well as have the Exchange Server
> 2007 running on it. So, that is why I am not sure where I should put in the
> network or the DMZ.
>
> Can I put this on the DMZ and install a second NIC, one NIC connected to the
> DMZ and the other to the private network?
If your Exchange server is the only Exchange server, and it's a single
server for the network, why would you even think that putting it in the
DMZ would protect anyone?
Unless you make it a stand-alone DC/Exchange box, with NO CONNECTION to
the LAN servers/AD structure, you're going to have to allow replication
between it and the LAN, which means that if they hack it, they get the
rest of your network.
SBS 2003 runs as a single server DC with Exchange, and it's painless.
If you have a real firewall you can block a lot of countries (unless you
need email from them) and your SPAM/AV filter that is EXCHANGE AWARE can
protect the store - not to mention that most firewalls can remove bad
headers, bad message sizes, bogus headers, and even remove content based
on mime type from messages.
So, the server as a DC, in the LAN, is the only place for it - putting
it in the DMZ would defeat the reason for having a DMZ.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
Thank you Leythos for making this clear. The server will go in the LAN
then. We are not using a SBS, rather Server 2003 64-bit with Exchange 2007.
I actually have ordered a Netscreen SSG5 firewall which comes with UTM and
that should block a lot of the stuff.
Thanks again,
John
"Leythos"
news:MPG.2150d4242c69e294989928@adfree.Usenet.com...
> In article <46e70735$0$10296$815e3792@news.qwest.net>,
> jsmith@nospamplease.com says...
>>
>> Actually this is a brand new network. There will be only one server for
>> some time. This server will be the DC as well as have the Exchange
>> Server
>> 2007 running on it. So, that is why I am not sure where I should put in
>> the
>> network or the DMZ.
>>
>> Can I put this on the DMZ and install a second NIC, one NIC connected to
>> the
>> DMZ and the other to the private network?
>
> If your Exchange server is the only Exchange server, and it's a single
> server for the network, why would you even think that putting it in the
> DMZ would protect anyone?
>
> Unless you make it a stand-alone DC/Exchange box, with NO CONNECTION to
> the LAN servers/AD structure, you're going to have to allow replication
> between it and the LAN, which means that if they hack it, they get the
> rest of your network.
>
> SBS 2003 runs as a single server DC with Exchange, and it's painless.
>
> If you have a real firewall you can block a lot of countries (unless you
> need email from them) and your SPAM/AV filter that is EXCHANGE AWARE can
> protect the store - not to mention that most firewalls can remove bad
> headers, bad message sizes, bogus headers, and even remove content based
> on mime type from messages.
>
> So, the server as a DC, in the LAN, is the only place for it - putting
> it in the DMZ would defeat the reason for having a DMZ.
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)
In article <46e70dff$0$10303$815e3792@news.qwest.net>,
jsmith@nospamplease.com says...
> Thank you Leythos for making this clear. The server will go in the LAN
> then. We are not using a SBS, rather Server 2003 64-bit with Exchange 2007.
>
> I actually have ordered a Netscreen SSG5 firewall which comes with UTM and
> that should block a lot of the stuff.
I've put Exchange servers in the DMZ, when I don't use the normal
Exchange connector for outlook, or when I have a firewall that can
create a connection that is initiated by the LAN user to the DMZ - a
proxy type connection that only allows the DMZ based Email server to
reply back to the LAN users when the lan users contact it first - the
firewall has to handle this.
In all cases, I never put an exchange server or any other DMZ server in
a AD/Domain that has to authenticate with the LAN, never, nada, nope,
don't do it. If the DMZ devices can authenticate (Domain accounts) with
the LAN there is no point in having them in the DMZ.
For secure facilities we do a lot of things one would not really do in a
non-secure facility.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
John Smith
> Actually this is a brand new network. There will be only one server
> for some time. This server will be the DC as well as have the
> Exchange Server 2007 running on it. So, that is why I am not sure
> where I should put in the network or the DMZ.
Put the DC into your LAN. Bite the bullet and put another server into
the DMZ as a smarthost for your Exchange. That second server doesn't
have to be expensive, even a box from a couple years back should suffice
if you run e.g. Linux and Postfix on it.
DO NOT EXPOSE YOUR DC TO THE WORLD.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
I have never installed a smarthost so I don't know what entails in its
deployment. So I would appreciate if you can point me to some resouces on
how to implement it.
I am not that thrilled about exposing DC, so I was originally thinking of
assigning a private IP (something like 10.2.2.5) to the Exchange server and
use the firewall to forward all smtp protocol to this server. Do you think
this will work?
Thanks,
John
"Ansgar -59cobalt- Wiechers"
news:fc7cduUa86L1@news.in-ulm.de...
> John Smith
>> Actually this is a brand new network. There will be only one server
>> for some time. This server will be the DC as well as have the
>> Exchange Server 2007 running on it. So, that is why I am not sure
>> where I should put in the network or the DMZ.
>
> Put the DC into your LAN. Bite the bullet and put another server into
> the DMZ as a smarthost for your Exchange. That second server doesn't
> have to be expensive, even a box from a couple years back should suffice
> if you run e.g. Linux and Postfix on it.
>
> DO NOT EXPOSE YOUR DC TO THE WORLD.
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich
Another thought I have is this:
If I use services of an anti-virus/spam company such as Postini or something
similar so I can route all incoming mail from one source, then I can open
the firewall to receive mail only from one IP address. Would this not
decrease the risk dramatically?
"John Smith"
news:46e75510$0$10311$815e3792@news.qwest.net...
> I have never installed a smarthost so I don't know what entails in its
> deployment. So I would appreciate if you can point me to some resouces on
> how to implement it.
>
> I am not that thrilled about exposing DC, so I was originally thinking of
> assigning a private IP (something like 10.2.2.5) to the Exchange server
> and use the firewall to forward all smtp protocol to this server. Do you
> think this will work?
>
> Thanks,
> John
>
>
> "Ansgar -59cobalt- Wiechers"
> message news:fc7cduUa86L1@news.in-ulm.de...
>> John Smith
>>> Actually this is a brand new network. There will be only one server
>>> for some time. This server will be the DC as well as have the
>>> Exchange Server 2007 running on it. So, that is why I am not sure
>>> where I should put in the network or the DMZ.
>>
>> Put the DC into your LAN. Bite the bullet and put another server into
>> the DMZ as a smarthost for your Exchange. That second server doesn't
>> have to be expensive, even a box from a couple years back should suffice
>> if you run e.g. Linux and Postfix on it.
>>
>> DO NOT EXPOSE YOUR DC TO THE WORLD.
>>
>> cu
>> 59cobalt
>> --
>> "If a software developer ever believes a rootkit is a necessary part of
>> their architecture they should go back and re-architect their solution."
>> --Mark Russinovich
>
>
John Smith
> I have never installed a smarthost so I don't know what entails in its
> deployment. So I would appreciate if you can point me to some
> resouces on how to implement it.
google://exchange+smarthost
You setup an MTA in the DMZ, then you setup Exchange in the LAN and
configure it to use the MTA as its smarthost. That takes care of your
outgoing mail. To have Exchange receive incoming mail you also need to
setup something to fetch mail from the MTA (e.g. Cygwin's fetchmail). If
you have a little Linux/Unix experience it's pretty straightforward.
> I am not that thrilled about exposing DC, so I was originally thinking
> of assigning a private IP (something like 10.2.2.5) to the Exchange
> server and use the firewall to forward all smtp protocol to this
> server. Do you think this will work?
Which part of "do not expose your DC" did you fail to understand?
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
John Smith
> If I use services of an anti-virus/spam company such as Postini or
> something similar
Don't trust your company's communication to anyone outside your company
unless you have a really, REALLY good reason to do so.
> so I can route all incoming mail from one source, then I can open the
> firewall to receive mail only from one IP address. Would this not
> decrease the risk dramatically?
Your DC would still be accessible from the outside (though perhaps not
as easily), which still is a big no-no.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
If you want a good smarthost, with support try
John
John Smith wrote:
> Another thought I have is this:
>
> If I use services of an anti-virus/spam company such as Postini or something
> similar so I can route all incoming mail from one source, then I can open
> the firewall to receive mail only from one IP address. Would this not
> decrease the risk dramatically?
>
> "John Smith"
> news:46e75510$0$10311$815e3792@news.qwest.net...
>> I have never installed a smarthost so I don't know what entails in its
>> deployment. So I would appreciate if you can point me to some resouces on
>> how to implement it.
>>
>> I am not that thrilled about exposing DC, so I was originally thinking of
>> assigning a private IP (something like 10.2.2.5) to the Exchange server
>> and use the firewall to forward all smtp protocol to this server. Do you
>> think this will work?
>>
>> Thanks,
>> John
>>
>>
>> "Ansgar -59cobalt- Wiechers"
>> message news:fc7cduUa86L1@news.in-ulm.de...
>>> John Smith
>>>> Actually this is a brand new network. There will be only one server
>>>> for some time. This server will be the DC as well as have the
>>>> Exchange Server 2007 running on it. So, that is why I am not sure
>>>> where I should put in the network or the DMZ.
>>> Put the DC into your LAN. Bite the bullet and put another server into
>>> the DMZ as a smarthost for your Exchange. That second server doesn't
>>> have to be expensive, even a box from a couple years back should suffice
>>> if you run e.g. Linux and Postfix on it.
>>>
>>> DO NOT EXPOSE YOUR DC TO THE WORLD.
>>>
>>> cu
>>> 59cobalt
>>> --
>>> "If a software developer ever believes a rootkit is a necessary part of
>>> their architecture they should go back and re-architect their solution."
>>> --Mark Russinovich
>>
>
>