Where should my Exchange server reside on my network?
Where on my network should my Exchange server reside? Does it need to be on the dmz or should it be inside the firewall? Users will connect from outside the network and inside using a variety of connection methods ranging from dial up all the way up to VPN connections over fiber.
Software/Hardware used:
Software/Hardware used:
ASKED:
May 3, 2011 8:37 PM
UPDATED:
May 25, 2011 8:56 PM
Answer Wiki:
Due to the tight connections to the rest of your network, I personally would not put it in a DMZ. Ours resides on our internal network (behind the firewall and a router). The router port-forwards the needed POP/SMTP/IMAP ports from our external IP address to the internal network IP address of that server. Only those ports are reachable from the outside Internet, so it is--by default--more secure than if it were in a DMZ.
Users connecting via VPN are on our internal network, so they can also reach Exchange easily. Plus, we have Outlook Web Access set up on our web server which links to the Exchange server so that users can access their email from the Internet without using POP/IMAP/VPN.
To see all answers submitted to the Answer Wiki: View Answer History.
The best practice is to keep all your Servers which are providing internet sevices either Exchange or Web or ISA should be in DMZ zone, first and foremost they are much secured and you can open the required ports in firewall.
Cheers
Yasir
For ease of access to your users – internal to your network (with SMTP routing Gateway in the DMZ) this would be the best approach but not normally acceptable. This will no doubt come down to what can be signed off by the company. Please remember that the ports to this server will still need to have the same restrictions in the DMZ as it would internally…. Also the same relay restrictions and access would have to be enforced. So if the exchange server can relay in the DMZ it will be able to relay in the DMZ.
Just somethng to think about.
Exchange isn’t configured like a normal server solution. There are three sets of servers that you need to place. Two go within your internal network, and one goes in your DNS. The mailbox servers and the hub transport servers both go within your internal network. The external hub transport servers go in your DNS with just a couple of firewall holes opened between them and your hub transport servers. If you want OWA those are a bit harder as they need to be accessible from Internet but still have access to a domain controller. Only access to port 443 (and port 80 if you want) is needed for the client access servers which host OWA.
In agreement with all them. Behind Firewall and Gateway.