| Author |
Message |
Tekno
Guest
|
 Posted:
Wed Aug 31, 2005 12:59 am Post subject:
MS EXchange behind NAT |
|
|
Can I setup my MS exchange server2003 behind NAT? Or should I put it in DMZ
zone? If I can use NAT without putting in DMZ, it will only work for internal
email, won't it?
Thanks.
Tekno
|
|
| Back to top |
|
 |
Bharat Suneja
Guest
|
| Posted:
Wed Aug 31, 2005 6:52 am Post subject:
Re: MS EXchange behind NAT |
|
|
Depends on your environment/security policy and concerns, and what you're
trying to accomplish.
You can:
1) open smtp on your firewall to internal Exchange. Most people are not
comfortable with that, though small companies typically end up doing this.
2) Use a non-Exchange/non-domain member or linux/unit smtp box as smtp
gateway in your dmz, open smtp from Internet to that box in dmz, open smtp
from that particular box only to internal exchange bridgehead/mailbox
server. Very common.
3) Use ISA.
4) Use a hosted smtp service that does antispam/antivirus, allow only their
ip addresses to smtp to a dmz host, allow only dmz host to smtp to exchange
You do not want to put an Exchange box in the dmz - will need to open a lot
of ports to talk to dcs/gcs/other exchange boxes. Tyipically Exchange is set
up on the internal network.
--
Bharat Suneja
MCSE, MCT
--------------------------------
"Tekno" <Tekno@discussions.microsoft.com> wrote in message
news:6FB6A421-1D7A-4BE5-B347-3AE05BAADF7C@microsoft.com...
| Quote: | Can I setup my MS exchange server2003 behind NAT? Or should I put it in
DMZ
zone? If I can use NAT without putting in DMZ, it will only work for
internal
email, won't it?
Thanks.
Tekno |
|
|
| Back to top |
|
|
Tekno
Guest
|
| Posted:
Wed Aug 31, 2005 3:58 pm Post subject:
Re: MS EXchange behind NAT |
|
|
Thank you very much for very useful your quick answer.
I need more help please.
Here is my situation:
I work for a small companies with 50-70 users, with only one Linux server
for the business application, and one Windows Server 2003 as a Domain
Controller, file server, DNS, and internal hosting only. We may add one more
server as an Exchange server if we have to.
Some question regarding your 4 options:
"Bharat Suneja" wrote:
| Quote: | Depends on your environment/security policy and concerns, and what you're
trying to accomplish.
You can:
1) open smtp on your firewall to internal Exchange. Most people are not
comfortable with that, though small companies typically end up doing this.
|
Open smtp on my firewall to internal exchange, does that mean open all ports
need by exchange? and use private ip for the exchange server?
| Quote: | 2) Use a non-Exchange/non-domain member or linux/unit smtp box as smtp
gateway in your dmz, open smtp from Internet to that box in dmz, open smtp
from that particular box only to internal exchange bridgehead/mailbox
server. Very common.
|
Is this secure solution than the other? Do I need to add antispam and anti
virus in that linux smtp box? What critical things do I need for this set up?
How I suppose to set up the ISA configuration. Behind Router firewall, can I
set up the ISA setup in the same box with the Exchange server and make the
exchange server in a DMZ zone?
| Quote: | 4) Use a hosted smtp service that does antispam/antivirus, allow only their
ip addresses to smtp to a dmz host, allow only dmz host to smtp to exchange
Is this # 4 option the best solution for me for security and easy to |
configure?
| Quote: | You do not want to put an Exchange box in the dmz - will need to open a lot
of ports to talk to dcs/gcs/other exchange boxes. Tyipically Exchange is set
up on the internal network.
--
Bharat Suneja
MCSE, MCT
|
Once again thank you very much for your help.
Tekno Budi
| Quote: | --------------------------------
"Tekno" <Tekno@discussions.microsoft.com> wrote in message
news:6FB6A421-1D7A-4BE5-B347-3AE05BAADF7C@microsoft.com...
Can I setup my MS exchange server2003 behind NAT? Or should I put it in
DMZ
zone? If I can use NAT without putting in DMZ, it will only work for
internal
email, won't it?
Thanks.
Tekno
|
|
|
| Back to top |
|
|
Bharat Suneja
Guest
|
| Posted:
Wed Aug 31, 2005 4:59 pm Post subject:
Re: MS EXchange behind NAT |
|
|
Replies inline.
--
Bharat Suneja
MCSE, MCT
--------------------------------
"Tekno" <Tekno@discussions.microsoft.com> wrote in message
news:4CC32186-20C6-423B-B4CC-9ECF4119E6CE@microsoft.com...
| Quote: | Thank you very much for very useful your quick answer.
I need more help please.
Here is my situation:
I work for a small companies with 50-70 users, with only one Linux server
for the business application, and one Windows Server 2003 as a Domain
Controller, file server, DNS, and internal hosting only. We may add one
more
server as an Exchange server if we have to.
Some question regarding your 4 options:
"Bharat Suneja" wrote:
Depends on your environment/security policy and concerns, and what you're
trying to accomplish.
You can:
1) open smtp on your firewall to internal Exchange. Most people are not
comfortable with that, though small companies typically end up doing
this.
Open smtp on my firewall to internal exchange, does that mean open all
ports
need by exchange? and use private ip for the exchange server?
--- no, only smtp port 25 from internet to exchange server on internal |
network. exchange sits on the internal network, so yes, pvt ip for exchange.
once again, not a very secure solution, but something small companies
frequently end up doing.
| Quote: | 2) Use a non-Exchange/non-domain member or linux/unit smtp box as smtp
gateway in your dmz, open smtp from Internet to that box in dmz, open
smtp
from that particular box only to internal exchange bridgehead/mailbox
server. Very common.
Is this secure solution than the other? Do I need to add antispam and anti
virus in that linux smtp box? What critical things do I need for this set
up?
|
-- certainly more secure than #1. Don't *need* to add antispam and antivirus
to the gateway (linux or windows) smtp box, but it helps stop a lot of spam
and viruses from entering your network at all.
| Quote: |
3) Use ISA.
How I suppose to set up the ISA configuration. Behind Router firewall, can
I
set up the ISA setup in the same box with the Exchange server and make the
exchange server in a DMZ zone?
|
-- ISA would be dual-homed. Don't recommend setting up ISA on same box as
Exchange. (For a good small business solution check out SBS 2003).
| Quote: |
4) Use a hosted smtp service that does antispam/antivirus, allow only
their
ip addresses to smtp to a dmz host, allow only dmz host to smtp to
exchange
Is this # 4 option the best solution for me for security and easy to
configure?
-- Not very difficult, and perhaps more secure because the service |
provider's smtp is exposed to the internet, and saves you the trouble of
setting up a smtp gateway in a dmz, and dealing with antispam and security
issues. The only issue here is recurring monthly cost.
| Quote: |
You do not want to put an Exchange box in the dmz - will need to open a
lot
of ports to talk to dcs/gcs/other exchange boxes. Tyipically Exchange is
set
up on the internal network.
--
Bharat Suneja
MCSE, MCT
Once again thank you very much for your help.
Tekno Budi
--------------------------------
"Tekno" <Tekno@discussions.microsoft.com> wrote in message
news:6FB6A421-1D7A-4BE5-B347-3AE05BAADF7C@microsoft.com...
Can I setup my MS exchange server2003 behind NAT? Or should I put it in
DMZ
zone? If I can use NAT without putting in DMZ, it will only work for
internal
email, won't it?
Thanks.
Tekno
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in