Exchange server inside the Local network

rmrahman0302 · ‎05-18-2005

I have a customer is trying to install exchange server inside the local network. Also that system is working as a domain cotroller. They have other four hosts inside the DMZ. What will be the best idea to put the exchange server inside the local network or bring inside to DMZ? Any idea?

Thanks

a.alekseev · ‎05-18-2005

It would be better if you stay the exchange server inside the local network.

In DMZ you can have mail-relay.

rmrahman0302 · ‎05-18-2005

How we can configure and make it secure.?

paddyxdoyle · ‎05-18-2005

Its always difficult trying to access a DC or Exchange server through a firewall due to the portmapper service.

In a nutshell, when logging on to a DC or Exchange server from a client, the client initiates a connection to the server on tcp_135 (portmapper). The server then replies to the client saying from now on you are going to use ports 2000 and 2001. (These ports are randomly assigned and can be any >1024)

This means that you have to either open up all tcp high ports between your client connected firewall interface and your server interface thus opening a massive hole in your firewall, or you can edit the registry on your server and force the server to use fixed ports for client connections. (see the microsoft knowledge base for info on this)

If you are using a PIX then you can use the established command also to get round the portmapper issue, however i belive this only works if your server is on the outside interface.

I would probably have the exchange/dc on the DMZ and clients on the inside network, this way it doesn't matter that you need the tcp high ports open as they connection is coming from inside to DMZ. You could then allow exchange web access from your outside network. If you want to lock you network down then hardcode the port numbers as mentioned above and only permit specific ports to/from your internal network to your DMZ.

HTH

Paddy