How Exchange 2003 Front End server access the back end through PIX

admin_2 · ‎04-14-2004

Dear Gents'

This is my first post in your esteemed discussion group.

I am not a cisco guru but i would like to be. I have a scenario and i have to implement.

I am a MS specialist. I have to install Exchange 2003 in the PIX DMZ and that Front end will access an Exchange 2003 Back end server in the LAN.

I know the ports that is to be open for this communication. Unfortunately, i heard that it will not work and you have to put the Front end with direct connection to the Back end in the LAN for my scenario to work. At the same time, as i told that my customer restrict me to put the Front end server in the DMZ.

Kindly, advise how I can achieve this and if it can really work by placing the Front end in the DMZ or not. Also, if possible write for me an example for the a complete sample configuration as i told you before that i am not a PIX specialist "But I would like to".

Thanks for the Help and waiting your response as it the my implementation should have run and can not be delayed.

Thanks,

ehirsel · ‎04-14-2004

You should be able to accomplish what you want, as it does not seem any different than any other web service where a dmz host acts as a reverse-proxy or relay agent into a secured network.

Aside from smtp, what other ports do you need opened?

What version of code are you running on the pix? Cisco's web site as good detailed doc that is helpful, but it is even more so when you know what version you are working with.

The main issue is where the dns servers reside (dmz or internal/inside). You have choices as to whether you need NAT or not for the dmz-to-internal Exchange communication, but how you access the dns info and how it gets transformed by the pix (if it does, it does not have to be) can dictate what the best choice is.

Report Inappropriate Content · ‎04-14-2004

Thanks for reply.

As you said, the front end server will act as a proxy relay for the follwing ports:

From the PIX Internet interface to the DMZ:

HTTP

SMTP

POP3

IMAP4

From the DMZ to Internal to reach the Exchange 2003 back end server and the Win 2003 domain controller:

Most of the ports especially RPC dynamic ports

Concerning the version and code of the PIX, it is up to me to reuest from my customer to upgrade if it is a must for the scenario to work. I checked the Cisco web site and I know that there is a document for Exchange with PIX. Unfortunately, it is discussing NT which is outdated information. I need another recent document proof of concept for my scenario with Win 2003 and Exch 2003 Front end/Back end scenario with Front end in the DMZ.

Concerning with DNS server placement, it will be in the intenal network. Please advise with ur opinion.

Please help me to get me an exact document for the Front end in DMZ and Back end in the internal with the configuration lines with sample IPs/fictious for my scenario in order to apply the same to my real pix device.

Thanks for the efforts.

jasobrown · ‎04-14-2004

Ports:

53 (Transmission Control Protocol [TCP], User Datagram Protocol [UDP]) - Domain Name System (DNS).

80 (TCP) - Required for Outlook Web Access 5.5 access for communication between Exchange front-end and back-end servers.

88 (Transmission Control Protocol [TCP], UDP) - Kerberos authentication.

123 (UDP) - Windows Time Synchronization Protocol (NTP). This is not required for Windows 2000 logon capability, but it may be configured or required by the network administrator.

135 (TCP) - EndPointMapper.

389 (TCP, UDP) - Lightweight Directory Access Protocol (LDAP).

445 (TCP) - Server message block (SMB) for Netlogon, LDAP conversion and Microsoft Distributed File System (DFS) discovery.

3268 (TCP) - LDAP to global catalog servers.

Then you need to modify the port on the Backend server to use something instead of a dynamic port greater than 1024:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Parameters

Registry Value: TCP/IP Port

Value Type: REG_DWORD

Value Data: (available port)

Replace (available port) with something like 2126

Basically this changes the RPC dynamic ports to this defined port.

So it would look like this:

internal network = 10.1.1.0 /24

dmz network = 172.16.1.0 /24

backend exchange = 10.1.1.10

frontend exchange = 172.16.1.10

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

access-list dmz permit tcp host 172.16.1.10 host 10.1.1.10 eq 53

access-list dmz permit udp host 172.16.1.10 host 10.1.1.10 eq 53

access-list dmz permit tcp host 172.16.1.10 host 10.1.1.10 eq 80

access-list dmz permit tcp host 172.16.1.10 host 10.1.1.10 eq 88

access-list dmz permit udp host 172.16.1.10 host 10.1.1.10 eq 88

access-list dmz permit udp host 172.16.1.10 host 10.1.1.10 eq 123

access-list dmz permit tcp host 172.16.1.10 host 10.1.1.10 eq 135

access-list dmz permit tcp host 172.16.1.10 host 10.1.1.10 eq 389

access-list dmz permit udp host 172.16.1.10 host 10.1.1.10 eq 389

access-list dmz permit tcp host 172.16.1.10 host 10.1.1.10 eq 445

access-list dmz permit tcp host 172.16.1.10 host 10.1.1.10 eq 3268

access-list dmz permit tcp host 172.16.1.10 host 10.1.1.10 eq (port you defined in registry)

access-group dmz in interface dmz

Report Inappropriate Content · ‎04-21-2004

Thanks your great effort preparing this statements.

I do highly appreciate your work.

I will do the pilot tomorrow but i want to confirm with you that you are sure that the above statements do work with Exchange 2003 in Active Directory 2003 environemnt.

Please reply and conifrm this. So, i can rest assured that this configuration will sure work at the customer site.

Thanks,

rbenigno · ‎04-27-2004

.