Where to put E2K server on network?

[bartibog]

Hi, I have a firewall, 2 W2K servers AD, 1 E2K server with 35 users. Where should I place the exchange server? on inside of the firewall or on the optional port? the clients do use OWA only when travelling!

No web servers except for OWA on the exchange server

Thanks in advance!

 

[FredUG]

It should be behind the firewall. You'll have to open ports for OWA to work.

Good luck,

FredUG

 

[bartibog]

Thanks for the response FredUG,

do you mean on the optional port or the trusted port!

The reason i'm asking this question is that we had an IT audit done and they want it to be on the optional port...right now I have it on the trusted port with OWA open to the exchange server...

What do you think?

 

[FredUG]

I'm not sure what you mean by optional or trusted ports but behind the firewall means protected like the workstations. If your FW has a DMZ (maybe that's your optional port) you COULD put it there but I'd just put it behind and open the appropriate ports needed for OWA access. It'll make it easier for the clients to connect that are ON the network.

HTH,

FredUG

 

[bartibog]

I have it now behind the firewall and the appropriate ports open for OWA, but I need a reason why I would put it somewhere else...dam auditors LOL

 

[FredUG]

If it's behind a firewall *and* working, there's no practical need to move it to a DMZ. Some larger networks use multiple firewalls and exchange servers forwarding from inside and outside the lan. It's overkill unless you're a LARGE company. The auditors have to justify the audit.

HTH,

FredUG

 

[ReddLefty]

Some security issues and network risks might not allow you to open ports from your WAN to your LAN. So you can also place a 2nd Exchange Server in your DMZ and set it as a Front-End server.

It basically does the bridge between your DMZ and your LAN so you don't have to open any ports from your WAN to LAN.

A Front-End server has OWA and because it's in the same Organization, it will know where your mailboxes are, so no added configuration is necessary to OWA on the DMZ. You can also set it up to be the email gateway, and once again, it know where to route your mail...so that you don't have to open port 25 the the LAN either. Of course, the decision is ultimatly yours.




"In space, nobody can hear you click..."

 

[Marcs41]

It does not matter where you put it, as long as it is begind the firewall. You will need to forward port 80 for OWA to that server, or 443 for SSL.
Also, if you receive mail per MX-record, you need port 25 too.
I suppose with the 'optional' port, you mean the DMZ? If so, no, bad idea.

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[bartibog]

marcs41, why would it be a bad idea to put it behind the DMZ??? i'm trying to come up with a good answer for those nice auditors!

 

[itsisnofun]

bartibog

Give them the reason I gave ours. Since you are not an ISP and do not offer open mail accounts. There is no need to put it on the DMZ which may end up being a security risk for MS Exchange to your network. Since users behind the firewall are passed thru active directory for them to use outlook (if using and not express) in exchange mode as they are not pop accounts. If placed behind the firewall you control who and what gets access.

Mike

 

[Marcs41]

Exactly, the DMZ is , in a way, unprotected by some firewalls, but as itsisnofun says, all users would have to go through the firewall to the DMZ and that is not a good idea at all.

 

[bartibog]

Thanks guys...