[Senan]

Hi Guys

Im looking for some clarification or sanity check.

Ive come across this setup on a new client site, they have an Exchange 2003 Cluster (2 node) on their lan, then they have a OWA Front-end in their DMZ but what i discovered alarmed me. (Do i really see this?)

The OWA server has two nics one called LAN Nic and one called DMZ nic, non-sercure (HTTP) traffic is permitted from the internet to the DMZ nic to allow a non-secure connection for OWA/OMA (Obviously needs to be reconfigured to HTTPS)

I am correct in thinking because the two nics reside on the one box, if the dmz nic is compromised then the attacker has full access to the LAN awell as there is no router or software as far as i can see regulating traffic between the two nics on the one server?

Shouldnt the OWA front end server just have one DMZ nic and any interaction between the lan and dmz be governed by the cisco router and appropriate traffic rules?

Thanks in advance

[Sembee]

To be honest, there are no good reasons for putting an Exchange server in a DMZ. Doesn't matter how you configure it, compromise the frontend server and you can walk straight in, one or two NICs, doesn't really matter.

Two solutions:

1. Bring the frontend server inside or build a new one fresh inside, then open 443/25 ONLY on the firewall.
2. Bring the frontend server inside or build a new one fresh inside (notice the pattern here), and publish OWA with a reverse proxy like ISA/TMG.

Simon.

[Senan]

Thanks Simon

Its Exchange 2003, is it not more secure using a DMZ , port 443 is the only open port being passed to the front end since i fixed the SSL? I closed off port 80. OWA/OMA traffic only passes through port 443.

At least if the front end somehow gets comprimised its buffered in a DMZ no?

Is it not best practice to have the back end hosting the Info Stores and the Front end hosting public SMTP and OWA/OMA and both zones firewalled?

[Senan]

Had a good read of this and I see where your coming from

http://tigermatt.wordpress.com/2009/...ge-server-dmz/

[Senan]

So i see if i use a Vamsoft VM or Hosted spam service locked to my IP that hardens port 25 but could you explain a little more about how secure it is opening up port 443 and forwarding it to my exchange FE on my private lan? Sorry if this sounds like a stupid question, just need a sanity check!

Thanks Simon

[Sembee]

Secure? It is more secure than putting it in a DMZ. Single port only.

http://blog.sembee.co.uk/post/Why-yo...-in-a-DMZ.aspx

Explains more.

Simon.