I don't want an FE server!

[kopar]

Allright. We are a company of around 65 people. We will be implementing EX2003 very soon. We have our test network up and all is happy (barring some minor bugs). But, now we are looking at putting the EX2003 server into the DMZ to allow people outside the company to use thier email.

Now, from what I've read and what I understand, putting the EX2003 server in the DMZ is not a good idea. But, getting a second server, windows 2003 and EX2003 is a very expensive prospect. Especially when added to the already mounting costs of Exchange.

If I choose to put the EX2003 server in the DMZ, what ports do I need to open between the DMZ and the inside network (to allow AD, and all that other jazz to work)? Also, will I need to make and changes on the existing AD servers to help them communicate with the server in the DMZ (I've read that I need to map RPC to some static ports on all the DCs, not sure if I read that right)?

We are really trying to weigh the risks of having out EX2003 in the DMZ against the cost of another machine to act as an FE.

I'd really like to hear some discussion on the topic from some members here that are a bit more knowledgeable than me.

Thanks,
Tom

 

[Marcs41]

It sounds to me, in your case, you are far better of to put the server in the LAN, opening (forwarding) just the needed ports to the server on the router/firewall.

Which and how depend on WHO you want to connect (trusted?) and HOW (POP3, IMAP, OWA, ..), IMAP and OWA being the simplest and safest from the LAN point.

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do I Get Great Answers To my Tek-Tips Questions?} See faq222-2244

 

[kopar]

We want to allow authenticated users to be able to use Outlook (using the RDP/HTTP wrapper to allow mapi over https. Our primary users MUST be able to use Outlook, everybody else can use the OWA.

I'm really weary about opening port 80 from the internet into our LAN, but it may be the only cost/time effective way to go about this.

A couple more questions:

If we DO get an FE server, what kind of specs do we need? It doesn't seem to me that it needs to be in the same class as our exchange server.
Also, I haven't been able to get a good read on exacly what ports we need to open between the DMZ and the Inside to get the FE server to talk to the backend.

Thanks!
--Tom

 

[Marcs41]

Still about your first issue.

You really should not use port 80, but SSL on port 443 for better security.

If it is for employees only, you can even change that port to something less obvious like 2443.
In that case they would connect as:

https://yourdomain:2443/Exchange

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do I Get Great Answers To my Tek-Tips Questions?} See faq222-2244

 

[kopar]

Yeah, we already have the test server all SSL ready and tested, but I still don't like having that port open.

Can you give me some insigt into my other questions? I'd really like to have all the information possible.

For example, if we need to open a lot of ports (especially RPC ports like 135) from the dmz to the inside to get the FE/BE system to work, I'm not too keen on that and I'd rather have just 80/443 (or some other port) from the internet to the inside.

But, if I don't have to open a ton of ports, and the FE server can be something inexpensive, I'd rather do things the right way the first time.

Thanks!

 

[Marcs41]

open a port nomatter where, and you have a security risk.
If you don't want to open ports, pull the cable out ;-)

Seriously, if you have a seperate FE, you will need the ports open on that one, so ..

You can define where the ports go to, where they originate from and deny all others.

I am not saying a FE is a bad idea, it can be expensive though, and alot more to think about if something goes wrong.

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do I Get Great Answers To my Tek-Tips Questions?} See faq222-2244

 

[AndyPeck]

Kopar

1. Port 443 is all you need for RPC over HTTPS, however you may also what to open port 80 and put a redirect to 443 for those users that never remember it's HTTPS. ( I learn't this the hard way)

2. Ensure your firewall/NAT rule only allows these ports to the exchange server IP and not the whole subnet.

3. All this only works if the client machines are running XP SP1 + a few hotfixes and Office 2003, but I'm sure you know this already.

This will work, but all the security focused guys will be crying it's madness, so you may want to check out ISA server and beg the boss to increase the project budget.