A DMZ (de-militarised zone), also known as a perimeter network, is an area of network between the Internet and your internal LAN. It is commonly used to place servers that are accessible from the Internet in an effort to protect your internal infrastructure.
There are differing opinions on how a DMZ should be used with your Exchange/messaging environment. Some feel that Exchange front-end servers should be placed within the DMZ which requires some configuration on the servers and firewall. Others, including myself, feel that port forwarding/filtering on a good firewall is sufficient and the front-end servers can be placed on the LAN, which is a more convenient approach. Microsoft offer a guide on front-end/back-end topology including the use of a DMZ. You can also find information on hardening your front-end servers here.
My ideal topology, and one we have implemented here, is to have a 3rd party mail gateway in the DMZ that then forwards to front-end servers on the internal network. This allows for multiple layers of defence and should prevent the majority of viruses and malicious payloads reaching the internal servers/network. Services like OWA, RPC-HTTP and ActiveSync are offered by port forwarding from the firewall to the front-end servers. In my opinion this approach offers a good balance between administrative overhead and security.
[tags]Exchange, Firewall, DMZ[/tags]
I absolutely agree. This is what I preach every day in the newsgroups. Exchange servers do not belong in a DMZ. It’s unfortuante that early Microsoft whitepapers indeed recommended this very thing. At least they no longer do so…
E12 will change things a lot in this regards. I expect that the recommendation will again be to put E12 in a Gateway role into the DMZ.
By: Ben Winzenz on January 19, 2006
at 2:13 pm
Hmm… Isn’t this post just crying out for a sample deployment diagram?
G.
By: Gary Slinger on January 20, 2006
at 4:18 am