Gray Cloud

Hi,

We have Exchange 2003, with a cluster for the mailbox, a front-end
server(OWA) in dmz and another front-end server (mx registry) in local
network, the last one with GroupShield 7.0
The Company want to security the environtment and want to move the front-end
server (mx registry) to DMZ.
Is it recomendable to do this movement? and how can i this movement?

Thanks

Xula wrote:
> Hi,
>
> We have Exchange 2003, with a cluster for the mailbox, a front-end
> server(OWA) in dmz and another front-end server (mx registry) in local
> network, the last one with GroupShield 7.0
> The Company want to security the environtment and want to move the
> front-end server (mx registry) to DMZ.
> Is it recomendable to do this movement? and how can i this movement?
>
> Thanks

For security purposes, you shouldn't put any of your Exchange servers or
domain-member servers in a DMZ. Keep everything behind your firewall on your
LAN. You have to open so many ports between DMZ and LAN to make even just
OWA work that you negate the purpose of a DMZ.

No front-end should be in the DMZ because of the large number of ports you
must open to make it work. Instead, you should keep the internal front-end
server in place and change your DMZ-based front-end server into an ISA 2006
server and let it perform a reverse proxy for Exchange.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
..

"Xula" wrote in message
news:49567193-DF5A-4BB2-9C60-E710B20097E6@microsoft.com...
> Hi,
>
> We have Exchange 2003, with a cluster for the mailbox, a front-end
> server(OWA) in dmz and another front-end server (mx registry) in local
> network, the last one with GroupShield 7.0
> The Company want to security the environtment and want to move the
> front-end
> server (mx registry) to DMZ.
> Is it recomendable to do this movement? and how can i this movement?
>
> Thanks

You should *never* expose your Exchange servers (this includes both the
OWA and SMTP services) to the internet. You should thus never allow a
direct connection from the internet to the servers, whether they are
located on your internal network or your DMZ.

For example, if you allowed direct traffic from the internet to port 25
of your internal Exchange server, this is what could have happened to
you (http://www.cert.org/advisories/CA-2003-27.html). A specialty
crafted SMTP command to your MX server would have allowed the attacker
to gain "SYSTEM" priviledges on your *internal* Exchange server,
completely bypassing your DMZ and external firewalls....

Of course the vulnerability mentioned is old, but if it happened once
it's going to happen again.

**Always** proxy internet traffic thru your DMZ, and never allow your
Exchange servers to be "touched" directly from the internet. ISA Server
will do fine, as long as you configure it correctly. You can use it to
proxy both OWA and SMTP traffic, but again, make sure you limit and
control traffic on it as much as possible.

I would however personally also route the incoming SMTP traffic in your
DMZ to a *real* separate antispam/antivirus server (or appliance) that
will receive and then forward in a separate message the emails to your
Exchange server. ISA will act as a proxy and thus what comes in is what
comes out - there is no real separation between the internet and
Exchange. Yes, it's filtered traffic, but it's still not physically
separated. Enabling MailGuard (if you're running Cisco firewalls) is
also an excellent deterrent to avoid SMTP vulnerabilities.

--
Roberto Franceschetti
LogSat Software
http://www.logsat.com


Xula wrote:
> Hi,
>
> We have Exchange 2003, with a cluster for the mailbox, a front-end
> server(OWA) in dmz and another front-end server (mx registry) in local
> network, the last one with GroupShield 7.0
> The Company want to security the environtment and want to move the front-end
> server (mx registry) to DMZ.
> Is it recomendable to do this movement? and how can i this movement?
>
> Thanks