Where should my Exchange server reside on my network?

Exchange Connectivity
Microsoft Exchange
Network Server
VPN connectivity
Where on my network should my Exchange server reside? Does it need to be on the dmz or should it be inside the firewall? Users will connect from outside the network and inside using a variety of connection methods ranging from dial up all the way up to VPN connections over fiber.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Due to the tight connections to the rest of your network, I personally would not put it in a DMZ. Ours resides on our internal network (behind the firewall and a router). The router port-forwards the needed POP/SMTP/IMAP ports from our external IP address to the internal network IP address of that server. Only those ports are reachable from the outside Internet, so it is–by default–more secure than if it were in a DMZ.

Users connecting via VPN are on our internal network, so they can also reach Exchange easily. Plus, we have Outlook Web Access set up on our web server which links to the Exchange server so that users can access their email from the Internet without using POP/IMAP/VPN.

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Yasir Irfan
    The best practice is to keep all your Servers which are providing internet sevices either Exchange or Web or ISA should be in DMZ zone, first and foremost they are much secured and you can open the required ports in firewall. Cheers Yasir
    7,330 pointsBadges:
  • Gabe9527
    For ease of access to your users - internal to your network (with SMTP routing Gateway in the DMZ) this would be the best approach but not normally acceptable. This will no doubt come down to what can be signed off by the company. Please remember that the ports to this server will still need to have the same restrictions in the DMZ as it would internally.... Also the same relay restrictions and access would have to be enforced. So if the exchange server can relay in the DMZ it will be able to relay in the DMZ. Just somethng to think about.
    11,095 pointsBadges:
  • Denny Cherry
    Exchange isn't configured like a normal server solution. There are three sets of servers that you need to place. Two go within your internal network, and one goes in your DNS. The mailbox servers and the hub transport servers both go within your internal network. The external hub transport servers go in your DNS with just a couple of firewall holes opened between them and your hub transport servers. If you want OWA those are a bit harder as they need to be accessible from Internet but still have access to a domain controller. Only access to port 443 (and port 80 if you want) is needed for the client access servers which host OWA.
    69,015 pointsBadges:
  • RamseyB
    In agreement with all them. Behind Firewall and Gateway.
    2,115 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: