IPSec: Where to Begin?

[CharlieIT]

I have a Front End Exchange 2003 Server in a DMZ (aka "screened subnet", "perimeter network", etc.). I have a back end Exchange 2003 server on my LAN. I am trying to configure IPSec between the Front End and the Back End server.

Can anyone recommend an easy step-by-step guide (online or book) on how to do this? I'm going blind from ready Microsoft's Technet books on the subject and I'm no closer to understanding how to do it.

Thank you,

Charlie

 

[MarkArnold]

Actualy you're recommended not to have the box in a DMZ because it opens up too many ports to the inside. So, FE in a DMZ and your wish to implement better security doesn't sit well together because you're not following best practice in the first place.
Get the FE inside the LAN and then implement IPSec between the FE, BE and GCs

 

[CharlieIT]

Best Practice is to have a Front End Exchange server in a DMZ (firewall between the DMZ and Internet of course)communicating (encrypted) to the Back End Server (through ISA Server) to the LAN.

A front end exchange server on the LAN?!!!

 

[MarkArnold]

No CharlieIT, it is not best practice to have the FE in a DMZ.
It is certainly a good idea to put an ISA in front of everything but taking the step of separating the FE from the GCs is not the best practice.

Why do you think it is not permitted, never mind not recommended or supported, to have an Exchange 2007 CAS in the DMZ? If it was best practice then the CAS would be allowed in the DMZ, just like a 2003 FE is now.

Sure, there was lots of advice in Exchange 2000 and yes, there are scenario documents on microsoft.com that allow for it and give you all the necessary ports that you need open but it's not a best practice.

Allowed and supported is not the same as recommended.

 

[Zelandakh]

I'm with Mark on this one - the sheer amount of ports you need to open from FE to BE across the DMZ to LAN means you are running a massive hole there and asking for trouble.

Let the ISA take the strain and use it to publish the FE that sits on the LAN as an OWA box. Which is a straightforward thing to do and from memory is a wizard.

Yuk, I suggested using a wizard - I'll be advocating SBS next...

 

[CharlieIT]

I posted this question on ISAServer.org. Tom Shinder (author of several books on ISA Server and recommended by Microsoft) disagrees with you:

http://www.isaserver.org/tutorials/...Perimeters-Multihomed-ISA-Firewall-Part1.html

 

[MarkArnold]

Oh. I see. OK.
Microsoft disagrees with Tom:

http://technet.microsoft.com/en-us/library/37106b9f-172e-4d4e-81a6-f9e04066817a.aspx

Quote:
Placing front-end servers inside the perimeter network is one approach to deploying front-end and back-end topology within a perimeter network. However, the recommended approach is depicted in the first scenario, Advanced Firewall in a Perimeter Network. This approach involves placing the front-end and back-end servers inside the intranet and placing an advanced firewall (such as ISA Server) in the perimeter network. The advanced firewall can provide application protocol filtering and perform additional authentication on requests before it proxies them to the internal network.

Links to:

http://technet.microsoft.com/en-us/library/bb123580.aspx

Which gives you text and pictures.

msexchange.org which is a sister site of isaserver.org also disagrees with Tom:

http://www.msexchange.org/tutorials...-2004-Exchange-Frontend-Server-DMZ-Part1.html

So, let's recap.
Every single Exchange MVP will disagree with you (but who the hell listens to them)
Microsoft disagrees with you
msexchange.org disagrees with you
Tom agrees with you.

The summary is that, as with just about everything you encounter in IT there are seldom any absolutley wrong things to do. By all means put the FE off to one side of the ISA rather than on the LAN because it won't toast your network, neither will the sky fall in.

Be aware though that if you want to go and ask Microsoft, paying your $5,000 for consulting services, you won't get an answer. You will get options and suggestions. I know for a fact that the answer will differ depending on whether you get a security guy, an Exchange guy, a network guy or an AD guy.

Furthermore aware that whatever anyone else says, Steve Riley and Jesper Johansen told you to put it in a DMZ in Exchange 2000 and not to put it in a DMZ in Exchange 2003.

It's a little like the empty Forest Root domain back in Acrive Directory 2000 days. Then it was the right way to go. Ask Microsoft internal guys and they'll tell you "If we knew now what we knew then...." stories and the empty Forest Root would not have passed their lips back in 2000.

Hindsight, 20/20 vision. Feel free to comment back but I think you've had all the reasoning and suggestions. It doesn't matter to us here whether you follow ours & Microsoft's advice or if you go with Tom's. It's entirely your business and at the end of the day you might have other reasons or want to do something else on the FE that makes it the best idea in the world to put in a DMZ.

You pays your money and you takes your chances.

 

[CharlieIT]

From your examples it looks like you may be misunderstanding that these days there are different KINDS of DMZ's: authenticated and non-authenticated.

In the good 'ol days of just a couple of years ago (and earlier), a DMZ was a physically separated part of your network that had little (if any) to no (preferrable) communication with your LAN. However, DMZ's have quickly evolved because (as most of us can attest to): your web servers, FE Exchange servers, etc. need to communicate with back end servers and databases.

The "Authenticated DMZ" was born. Let's say you have a SOHO firewall that has a "DMZ" port on it. If you connect a server to that port, you have a traditional (non-authenticated) DMZ. For this, I would completely and whole heartedly agree with you and all of your articles that punching ANY holes to communicate with your LAN is a BAD idea.

When you build an ISA server, you typically build it with 3 or 4 network cards representing: LAN, WAN, DMZ (authenticated), DMZ (non-authenticated). The "authenticated DMZ" is specifically made to give you the option of publishing an Internet facing server which communicates with your LAN.


If you wish to learn more, please read the article I sent in my last communication.

Charlie

 

[MarkArnold]

Thank you for your suggestion. You are unfortunate in that I read the document a very long time ago and gave it a re-read recently as an update for something I was presenting on.
Personally I don't see the point of putting the FE where you suggest in the configuration you suggest.

What I might point out is this.
Your original post made no mention of any of the advanced nuances and you admitted to having problems understanding the topic. If you're now speaking authoritatively about authenticated and unauthenticated networks I'd be interested (retorical) to know why you are also thinking about implementing IPSec as well.

Anyway, all that's off-topic as you've creeped your original scope way off where you started from. And on a far more important note I need to be down the pub in 10 minutes.

I get the impression you've decided to now go with Tom's idea and overlay IPSec on top of it. I'm not convinced that it's a good idea but it's your decision in the best interests of your organisation. And since you came to these forums you are clearly only in need of an opinion because you would otherwise have gone to Microsoft Consulting Services or engaged a Microsoft partner specialising in security to give you the benefit of their experience.

Good luck and cheerio.

 

[CharlieIT]

Talking to other IT people is always very difficult. There are always big egos involved. A friend of mine once joked and said, "Did anyone ever teach you the IT handshake?" I said, "no." He said, (as he stuck his hand out to shake mine) "Hi, there's nothing I can learn from you." I have since heard other variations of this joke, "Hi, I'm better than you", "Hi, I know more than you", etc.

I only mentioned Tom Shinder to you because he is a respected author on security and is recommended by Microsoft. The sarcasm "Oh, I see, OK" and "Let's recap" let's me know that I have yet again bruised the delicate ego of another IT guy. It was not intentional. I was merely pointing out an expert's opinion to see if you would respond with anything concrete. You only mentioned articles that talk generally about DMZ's that are clearly not taking "authenticated DMZ's" into consideration.

You are correct--we got WAY off SCOPE--because your response to my question about IPSec was not to put the server in the DMZ. Thus, the conversation turned to DMZ's.

Before I posted this original question, I spoke with security experts on ISA Server.org and I have made up my mind that the correct thing to do is to put the server in an authenticated DMZ (unless someone can give me compelling reasons why an AUTHENTICATED DMZ is the wrong way to go). Now I need to have the FE Exchange speak to the BE Exchange through the ISA Server.

I don't know if anyone will answer my question after the lengthy discussion above regarding DMZ's, but I was wondering if anyone can tell me if there is a step-by-step guide to setting up IPSec between a FE Exchange and a BE Exchange?

Cheers.

 

[CharlieIT]

I should mention that I found my answer to the original question. If anyone else is looking for the answer, and easy step-by-step procedure (with explanation) of IPSec between a Front End and Back End Exchange Server is covered in the following book: "Secure Messaging with Microsoft Exchange Server 2003" (beginning on pg 369)