MS Proxy and Exchange 1

[amrit]

This is a just a general question. Is anyone aware of any known issues on having MS Proxy 2.0 and Exchange 5.5 on the same machine???

 

[amrit]

Also, what other firewalls are out there that have better security than MS Proxy Server. I am planning to connect a LAN of about 30 nodes to the internet through a router with a internet ip address. I'm debating whether i should connect that router to a NT box w/ 2 NIC's and MS proxy, or to put firewall software on the router and have it hooked directly into the LAN. I haven't picked out a router yet, so any suggestions on that would be helpful! Security is of great importance and several user will want to access the network remotely, most probably through a VPN.

 

[JoeB]

I can tell you this much. If you plan on using pptp, don't even think about using proxy server. You can not be authenticated with pptp through a proxy. There is supposedly a work around by using RRAS, but so far my efforts to make it work have failed, and there just isn't any good information available except a couple KB articles by Microsoft saying it should work! I'd definately go with some other firewall solution.

 

[joeblough]

yeah if you are concerned with security put your proxy on another computer and add an add-on firewall to sure-up the NT proxy like the Gauntlet firewall (network accociates). better safe than sorry.

 

[Zelandakh]

Proxy means doing for someone else. i.e. you use it for multiple people going out through it (router).<br>
<br>
Proxy does not mean firewall. MS Proxy definitely does not mean secure firewall.<br>
<br>
Checkout Checkpoint Firewall. Cisco IOS and Gauntlet as Blakester noted.<br>
<br>
If you wish to allow incoming access other than an SMTP mail feed then use something professional and have it professionally installed. One big bill is better than one insecure network.<br>
<br>
We had someone recommend proxy as a firewall. It was hacked within hours of going up. Then he plugged the internet connection straight into our fibre switch - no firewall or proxy server at all. My how we laughed...<br>
<br>

 

[Tool]

I have Proxy, Exchange, IIS and VPN access all on the same server with no problems.

 

[amrit]

Tool, <br>
<br>
Are you using PPTP? I am a little worried about the security of data being passed through the VPN. How good is the Microsoft Authentication and Encryption, and overall security from the outside world.

 

[Tool]

I guess it all depends on how secure your data needs to be. I think that the built in VPN (PPTP) service is secure with NT. Windows 2000 is coming out with an even more secure PPTP protocol. Microsoft is using industry standard PPTP. There are several things to consider when creating a secure site, NT is complex and has many loopholes. In addition to PPTP Microsoft developed a product called RRAS which when used with PPTP can further secure your network connection. I suggest reading further into the PPTP protocol, you can find more info on Microsoft's website with their online Technet CD. Make sure you have strong authentication on both the client and server side. I use it without a hitch so far =-)<br>
<br>
Tool<br>

 

[pmkincaid]

First and foremost I would not recommend having anything other than Proxy Server on the machine that is directly connected to the internet. If you do and that machine gets compromised, everything is compromised. Proxy Server can act as a gateway to Exchange with Exchange being on an internal, private subnet (ie Proxy listens on port 25 and routes anything from there to the Exchange server inside the firewall).<br>
<br>
Now secondly, I definately would not count on Proxy Server if you are as concerned with security as it sounds. Zelandakh recommended Checkpoint's Firewall-1 -- yes it is expensive, but it is worth the money. Nothing is completely bulletproof, but we have it and have very few problems with it. Even if you ask Microsoft, if you talk to the right people that is, Proxy is meant as just that, a PRoxy to allow people to get out to the internet - its not a high level firewall. Firewall-1 comes with a VPN client also.<br>
<br>
Microsoft really isn't in the business of protecting your network, their products are designed to allow easier access to the internet -- look at Windows 2000, the install is so dumbed down anyone with half a brain can install it...<br>
<br>
I would definately recommend a third party firewall. I would not use Proxy Server as a firewall. Either Firewall-1 (which is installed on an NT machine, or a deticated router/firewall combination (either Cisco or Ascend - both have good firewalls). Also, I would not put Proxy and Exchange on the same machine - if you still want to use proxy, it can listen and forward all SMTP requests to the Exchange server which can be inside your DMZ - another level of protection.<br>
<br>
Hope this helps a little,<br>
Paul