locked
exchange 2016 in a perimeter network? RRS feed

  • Question

  • hi

    Soon we will transfer from Zimbra Mail to Exchange 2013. Not 2016 as we want seamless integration with our IT management system.

    We have a LAN and a DMZ(Perimeter network). We want our HTTPS and all in our Perimeter network in case the server gets hacked. Antispam and Antivirus is not needed as we receive mail from our secured datacenter smtp servers.

    What is the best way to do this? Just deploy the CAS/Exchange server in the perimeter network and open ports to active directory? We need the AD to work properly on the mail server... 

    We thought that the Transport server was used for mail delivery and running the CAS and only the mailboxes where on the mailbox server in the LAN but we were wrong.

    Please help me out  on what to do... we do know alot about network etc but we are no real diehard MS experts.

    Thursday, December 3, 2015 1:28 PM

Answers

  • hi

    Soon we will transfer from Zimbra Mail to Exchange 2013. Not 2016 as we want seamless integration with our IT management system.

    We have a LAN and a DMZ(Perimeter network). We want our HTTPS and all in our Perimeter network in case the server gets hacked. Antispam and Antivirus is not needed as we receive mail from our secured datacenter smtp servers.

    What is the best way to do this? Just deploy the CAS/Exchange server in the perimeter network and open ports to active directory? We need the AD to work properly on the mail server... 

    We thought that the Transport server was used for mail delivery and running the CAS and only the mailboxes where on the mailbox server in the LAN but we were wrong.

    Please help me out  on what to do... we do know alot about network etc but we are no real diehard MS experts.

    It's not supported to block any traffic between Exchange Servers and between the Exchange Servers and your Domain Controllers.

    http://blogs.technet.com/b/exchange/archive/2013/02/18/exchange-firewalls-and-support-oh-my.aspx

    The only exception to that rule is an Edge Server as they are not domain joined machines.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread


    Thursday, December 3, 2015 2:35 PM
  • Exchange in a perimeter network is not a supported configuration. Therefore if you want to put something in a DMZ, it will need to be an application publishing product.

    Furthermore, putting a domain member like Exchange in to a DMZ does NOT protect you from being hacked. It actually reduces the security of your network because you have placed an internal system in an external network.

    I wrote this almost ten years ago, for Exchange 2003, but the same points are still valid:

    http://blog.sembee.co.uk/post/Why-you-shouldnt-put-Exchange-2003-in-a-DMZ.aspx

    While Exchange is an email server, you cannot treat it like your Zimbra. It is part of your internal network.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Thursday, December 3, 2015 3:05 PM

All replies

  • hi

    Soon we will transfer from Zimbra Mail to Exchange 2013. Not 2016 as we want seamless integration with our IT management system.

    We have a LAN and a DMZ(Perimeter network). We want our HTTPS and all in our Perimeter network in case the server gets hacked. Antispam and Antivirus is not needed as we receive mail from our secured datacenter smtp servers.

    What is the best way to do this? Just deploy the CAS/Exchange server in the perimeter network and open ports to active directory? We need the AD to work properly on the mail server... 

    We thought that the Transport server was used for mail delivery and running the CAS and only the mailboxes where on the mailbox server in the LAN but we were wrong.

    Please help me out  on what to do... we do know alot about network etc but we are no real diehard MS experts.

    It's not supported to block any traffic between Exchange Servers and between the Exchange Servers and your Domain Controllers.

    http://blogs.technet.com/b/exchange/archive/2013/02/18/exchange-firewalls-and-support-oh-my.aspx

    The only exception to that rule is an Edge Server as they are not domain joined machines.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread


    Thursday, December 3, 2015 2:35 PM
  • Exchange in a perimeter network is not a supported configuration. Therefore if you want to put something in a DMZ, it will need to be an application publishing product.

    Furthermore, putting a domain member like Exchange in to a DMZ does NOT protect you from being hacked. It actually reduces the security of your network because you have placed an internal system in an external network.

    I wrote this almost ten years ago, for Exchange 2003, but the same points are still valid:

    http://blog.sembee.co.uk/post/Why-you-shouldnt-put-Exchange-2003-in-a-DMZ.aspx

    While Exchange is an email server, you cannot treat it like your Zimbra. It is part of your internal network.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Thursday, December 3, 2015 3:05 PM