Subnets for Exchange 2010 and Domain Controllers

25 pts.
Tags:
Domain Controller
Exchange 2010
Firewalls
Subnets
Windows Server 2008
Is there security advantage of having domain controllers on different subnet from member servers hosting Exchange 2010 (MBX, CAS, HUB)? Or due to number of required ports to be open the firewall essentially becomes a "swiss cheese".

Software/Hardware used:
Exchange 2010, Windows Server 2008

Answer Wiki

Thanks. We'll let you know when a new response is added.

Troy Tate 0 pts. | Sep 14 2009 3:48PM GMT

Can you provide more details about your environment (e.g. banking, finance, defense contractor, etc.)? This might give us more insight into what concerns you might have. There is a lot of different traffic that has to go to/from domain controllers. Are the DC’s currently on a separate firewalled subnet?

Thomas1991 25 pts. | Sep 14 2009 4:19PM GMT

At this time we have DCs in own zone. Member servers (another zone) of that DC will consist only of hub, cas, and mbx. The major concern is that due to Exchange high dependence on AD it will create additional load on firewalls, increase management and complexity. Also several ports require to be open between the two zones.
From the simplicity point of view one zone makes sense. However form the security point of view, layered approach (two zones) should be applied.

Mrdenny 44825 pts. | Sep 14 2009 4:31PM GMT

Typically people will install Exchange within the firewall, and only put the Edge Transport servers in the DMZ.

Thomas1991 25 pts. | Sep 14 2009 4:45PM GMT

Mrdenny I understand. In our case we will not deploy Edge Transport servers.

mrdenny 44825 pts. | Sep 16 2009 2:54AM GMT

Then you’ll need a lot of ports open between the Exchange server and the domain controllers in order to allow Exchange to authenticate.

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Thomas1991
    Can you provide more details about your environment (e.g. banking, finance, defense contractor, etc.)? This might give us more insight into what concerns you might have. There is a lot of different traffic that has to go to/from domain controllers. Are the DC's currently on a separate firewalled subnet?
    0 pointsBadges:
    report
  • Thomas1991
    At this time we have DCs in own zone. Member servers (another zone) of that DC will consist only of hub, cas, and mbx. The major concern is that due to Exchange high dependence on AD it will create additional load on firewalls, increase management and complexity. Also several ports require to be open between the two zones. From the simplicity point of view one zone makes sense. However form the security point of view, layered approach (two zones) should be applied.
    25 pointsBadges:
    report
  • Denny Cherry
    Typically people will install Exchange within the firewall, and only put the Edge Transport servers in the DMZ.
    66,130 pointsBadges:
    report
  • Thomas1991
    Mrdenny I understand. In our case we will not deploy Edge Transport servers.
    25 pointsBadges:
    report
  • Denny Cherry
    Then you'll need a lot of ports open between the Exchange server and the domain controllers in order to allow Exchange to authenticate.
    66,130 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following