Posted by: Anthony Drewery | January 19, 2006

To DMZ or not to DMZ?

A DMZ (de-militarised zone), also known as a perimeter network, is an area of network between the Internet and your internal LAN. It is commonly used to place servers that are accessible from the Internet in an effort to protect your internal infrastructure.

There are differing opinions on how a DMZ should be used with your Exchange/messaging environment. Some feel that Exchange front-end servers should be placed within the DMZ which requires some configuration on the servers and firewall. Others, including myself, feel that port forwarding/filtering on a good firewall is sufficient and the front-end servers can be placed on the LAN, which is a more convenient approach. Microsoft offer a guide on front-end/back-end topology including the use of a DMZ. You can also find information on hardening your front-end servers here.

My ideal topology, and one we have implemented here, is to have a 3rd party mail gateway in the DMZ that then forwards to front-end servers on the internal network. This allows for multiple layers of defence and should prevent the majority of viruses and malicious payloads reaching the internal servers/network. Services like OWA, RPC-HTTP and ActiveSync are offered by port forwarding from the firewall to the front-end servers. In my opinion this approach offers a good balance between administrative overhead and security.

[tags]Exchange, Firewall, DMZ[/tags]


Responses

  1. I absolutely agree. This is what I preach every day in the newsgroups. Exchange servers do not belong in a DMZ. It’s unfortuante that early Microsoft whitepapers indeed recommended this very thing. At least they no longer do so…

    E12 will change things a lot in this regards. I expect that the recommendation will again be to put E12 in a Gateway role into the DMZ.

  2. Hmm… Isn’t this post just crying out for a sample deployment diagram? šŸ˜‰

    G.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: