No announcement yet.

FE isolation in DMZ w/o SMTP connectors

  • Filter
  • Time
  • Show
Clear All
new posts

  • FE isolation in DMZ w/o SMTP connectors

    i have a little project going right now... we are in the process of incorporating a new firewall into our network (nokia checkpoint) and getting rid of the fortinet 500. if you have the chance to buy a fortinet dont, btw...

    so i wanna move the FE to the soon to be operational DMZ (i know.. dont tell me that sucks, its not totally my choice... if it were me id just NAT the thing and be done with it. im just the sys admin, not the head of network security) and i have a different setup...

    currently the back-end server uses a mail gateway to send and recieve email (an ironport c100) via SMTP connector. the OWA/OMA is being published to a FE located behind the firewall. the FE has 80 and 443 NATed to the EXTERNAL network... so no email ever travels from the FE server. its simply there to be a web server to keep my MDAs synced and provide OWA to some AC's.

    what i was wondering is if you remove the email and such, what ports do i need open to make this work correctly?

    i used etherape to capture the traffic between the FE and BE, while syncing my MDA and the only two ports involved (that i see if im doing this correctly) is 1321 and 80...

    if the FE doesnt do LDAP and auth the way a FE normally does, then would these be the only ports needed?

    do i make sense?

    thanks guys...
    Last edited by James Haynes; 3rd January 2007, 21:10. Reason: I dont NAT to the internal from internal... sorry.
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...

  • #2
    Re: FE isolation in DMZ w/o SMTP connectors

    1. You don't have to change your SMTP routing / connectors.
    2. You can find the list of ports you shoud open in the next articles:
    CNE 5, CCA, MCSE NT4.0-2003, MCSE 2003 messaging, Exchange Server MVP.
    Tzahi Kolber - IT Supervisor
    Polycom Israel.


    • #3
      Re: FE isolation in DMZ w/o SMTP connectors

      If your network security person is prepared to allow the many ports that running Exchange in a DMZ requires, then they are not fit for the job.
      You can show them this post if you like.

      I blogged on the subject of putting Exchange in the DMZ last year.

      I do installations for financial institutions, plus I design many more or are consulted on their design for others.

      Very often they come to me with a design that includes an Exchange server in the DMZ. I then show them the list of ports required.

      The deal breaker is 135.

      Putting Exchange in a DMZ does nothing to improve your security, it actually reduces it.
      If there is a concern about having Exchange directly exposed to the internet - which is natural, then use the preferred Microsoft solution - an ISA server. That will secure the deployment without having to put a domain member in to the DMZ. I have that solution in place in about a dozen sites, mainly financial places where they have more network security people than network admins and it has gone down very well.

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.


      • #4
        Re: FE isolation in DMZ w/o SMTP connectors

        well, then im not moving it. i really did like it on the inside, and cringe at the thought of moving it else where... especially to the DMZ.

        our network guy is adamant about anyhting that is accessed via http(s) is located on the outside of our network in the DMZ...

        so im sticking to my original stance and keeping it inside, and Sembee, im using that blog as one of my references when he asks why i will not comply...

        and about the port numbers (for my own edification anyways...) when i was doing the net capture via etherape, i let it run for a good 15 minutes... with a massive buffer and about 200 entries.. but still i saw none of the usual ports in the session. all i saw was the 1321 and port 80 in use. like i was saying, my front-end is basically a web server and doesnt route mail or anything having to do with mail flow.

        thanks for the back-up guys!


        hahah! nice last line... this is my new thesis for the DMZ debate! i didnt see that till i was printing it out. you rule sembee!
        Microsoft have supplied instructions on how to deploy Exchange in a DMZ.
        Not really a valid argument. You could probably ask a car manufacturer to give you instructions on how to drive a car off a cliff. They can provide them to - but whether it is a good idea or not is down to you.
        Last edited by James Haynes; 4th January 2007, 15:26.
        its easier to beg forgiveness than ask permission.
        Give karma where karma is due...