A DMZ (de-militarised zone), also known as a perimeter network, is an area of network between the Internet and your internal LAN. It is commonly used to place servers that are accessible from the Internet in an effort to protect your internal infrastructure.
There are differing opinions on how a DMZ should be used with your Exchange/messaging environment. Some feel that Exchange front-end servers should be placed within the DMZ which requires some configuration on the servers and firewall. Others, including myself, feel that port forwarding/filtering on a good firewall is sufficient and the front-end servers can be placed on the LAN, which is a more convenient approach. Microsoft offer a guide on front-end/back-end topology including the use of a DMZ. You can also find information on hardening your front-end servers here.
My ideal topology, and one we have implemented here, is to have a 3rd party mail gateway in the DMZ that then forwards to front-end servers on the internal network. This allows for multiple layers of defence and should prevent the majority of viruses and malicious payloads reaching the internal servers/network. Services like OWA, RPC-HTTP and ActiveSync are offered by port forwarding from the firewall to the front-end servers. In my opinion this approach offers a good balance between administrative overhead and security.
[tags]Exchange, Firewall, DMZ[/tags]