securing exchange behing router/ios firewall

Unanswered Question
Oct 30th, 2003
User Badges:

Here's my scenario:

Going to install single exchange server behind a cisco router/ios firewall. Would like to be able to use OWA(outlook web access). Trying to do this as secure as possible. Do not want to put the server out on the DMZ as it belongs to the domain and do not want to put it on the internal network with holes punched in the firewall. Can't afford another server to put out on the DMZ as an SMTP gateway or to run ISA. MS has recommended that the best way to do this is with 2 nics installed in the exchange server. The external connected to the DMZ and the internal connected to the internal network. Then Co-locate both ISA and Exchange on the same server and create server publishing rules to allow the exchange server to be published to the internet via the external nic. ISA would then intercept incoming mail and connections to OWA on the external nic, filter the traffic and forward it on to the internal nic. I really do not want to use ISA though. Could I accomplish the same with the router/ios firewall or should I use ISA as an extra layer of security???

Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bfl1 Thu, 10/30/2003 - 13:05
User Badges:

The only way to even do this somewhat secure is to use frontend server/backend server technology. The server in the DMZ is what the users connect to, in return, this server connects to the internal exchange server. Why can't you put the server in the DMZ? Because it belongs to the domain? Why is this a limiting factor?

kenneth.fernandes Thu, 10/30/2003 - 14:38
User Badges:

MS has recommended the server NOT be put in the DMZ and be installed on the internal lan

bfl1 Thu, 10/30/2003 - 17:29
User Badges:

Agree with MS 100%. If this is an Exchange server that holds your information store, then keep in internal. The only true secure way of doing this is to purchase the server you can't afford and make it a frontend server, put it in the DMZ, open port 443 to this server... the frontend will perform all the communications with the exchange server running the information store. If this is not a possibility, then here are a couple options:

1) Open port 443 to the internal Exchange server

2) Use Identity certificates for all your clients that connect.

3) Keep your server patched.

4) Inform management of risks and get their buy off.

lwierenga Thu, 10/30/2003 - 22:56
User Badges:

I have to agree with bfl1. Don't put it in the dmz, bad idea based on exploits per week brought to you by MS. You should put a ISA server in the DMZ that allows connections to the internal Exchange server, and keep both patched.


Since you cannot afford to have another server and do not want to put the exchange server inside the network, you can go ahead with the exchange server in the DMZ of a PIX Firewall. Exchange Server in DMZ can join the same Windows NT/2000 domain of your internal network without any problem.

Also it is recommended that any server that needs to be accessed from Internet to be kept on DMZ than in the inside network.

If you have already purchased the ISA Server you can install it in the Proxy mode(NOT in Firewall mode) and place it in the DMZ. Internal users will access the Internet through ISA & you can have logs of Internet activity using ISA.


Anoop Kumar Narayanan

NICBM Kuwait


This Discussion