03-28-2005 09:04 AM - edited 03-09-2019 10:45 AM
Curious about others experiences with securing an exchange environment.
Presently my exchange environment is scary vulnerable (inheritance is wonderful)...so i have tasked our group to look at a move to rpc-over-http and ssl connectivity outside of Corp HQ.
My question lies in how to get the most secure connectivity to the backend Exchange server... obviously the front-end will be in a DMZ- but i cannot understand how we are allowing dns, ldap, rpc,... connections establishing from the DMZ back into the corp network, even if it is locked down to a specific server- are we not informed that this type of arch. totally defeats the purpose of the DMZ?
At this time I am looking at possibily placing an application layer FW in the mix- and i am more inclined to an appliance than a software based FW- so NO! to ISA... experiences?
Internet- [externalFW]- [DMZ front-end] -[Internal APP FW]- [corp net Back-end]
But this still allows connectivity inside, but another FW (app layer) can at least filter the traffic further...?
What is the Cisco standard, not Microsofts- way of providing email services utilizing exchange?
Any suggestions or experiences to pass on would be appreciated.
03-28-2005 10:01 PM
Hello there,
The typical design is to place a Mail Relay server on the DMZ and allow The Relay Server to talk to the Backend Exchange Server.
Please see the following article for more details on using mail relay server to enhance Exchange Server security.
http://www.msexchange.org/tutorials/Mail_Relays_Enhance_Exchange_Security.html
Sincerely,
Binh
03-29-2005 01:52 PM
I am doing the same right now but don't have Frontend/Backend capability available to me. It is very limiting but what I have to work with for now.
What is your concern if front end runs in the DMZ and handles SSL-OWA traffic and SMTP as there are no mailboxes on it. The Backend server sits behind the firewall, interacts with active directory and houses the mail store as well as servicing MAPI clients.
Once you get the 2 servers to talk to each other with static routes and the right SMTP based ACLs through the PIX, Exchange should take care of the email routing.
04-02-2005 10:01 AM
I feel your pain. The real problem here is the multitude of ports MS boxes need to operate, and the higher up the food chain the OS is, the greater number of ports you need to port. For example, a Win2k server running in a mixed AD environment will require you to permit the server in the DMZ to initiate connections back into your corp net for LDAP, Kerberos, just about all the SMB/CIFS ports, and yes, lets not forget the festival of ephemerality.
So, to your question about L7FWs, you've got a lot more to worry about than HTTP/SOAP/XML, which is the area those appliances shine in. My suggestion would be to consider a traditional intrusion device instead.
If you'd like to take this offline, email me. Best of luck.
04-04-2005 06:55 AM
Finally someone who understands the issue at hand in this posting- no offense to the other comments, of course
I am kicking around the internal firewall solution- something can inspect all those L7 apps that need connectivity from my DMZ- which as we all know is only growing...
I am currently reviewing the IPS products, in which i agree with your last statement, but i am also considering growth and flexibiity in the new architecture.
With you having to be under HIPPA regs, you most likely feel the same pain-
I can go offline- but I dont see your email-
04-04-2005 07:35 AM
04-05-2005 03:59 AM
There might be ways with PIX OS 7.0 to secure and control the http and https application layers for the Frontend WOA Server.
Of course all the ports,protocols from the DMZ to the Backend server will be difficult to to contorol. As Michael menttioned an IDS would be the solution.
But the pain in the ass, is the http and https protocol that is entering from the internet to the DMZ.
There also might be ways with ISA Server, I do not really know well that product but it has proxy and firewall capabilities.
Has someone used a Squid Proxy to get that working ?
sincerely
Patrick
04-05-2005 05:58 AM
I understand the IDS thinking, but i believe IDS is becoming a thing of the past because it is more reactive than proactive...
The IDS will tell me about an alarm, but not do anything about it, without the tcp resets- in which i really dont like the idea of a system adding in an ACL to my security systems. I would rather have the communication blocked and then reported to me- alas the IPS solution. Yes- i am looking into that.
Some ideas that have been passed on to me are- having all external accesss (OWA...) to require a VPN connection- this wont fly with my users, to many logins... I would rather this architecture be seamless to my users- if possible?
Another thing that i heard was actually having redundant exchange boxes in both the DMZ and the Corp... and allow only replication through the FW... sounds interesting - and am currently reviewing- let you know what i come up with.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide