Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
Exchange
2000.active.directory
2000.admin
2000.announcements
2000.app.conversion
2000.applications
2000.clients
2000.clustering
2000.connectivity
2000.development
2000.documentation
2000.general
2000.information.store
2000.interop
2000.kms
2000.misc
2000.protocols
2000.realtime.collabo.
2000.setup
2000.transport
2000.win2000
admin
application.conversion
applications
clients
clustering
connectivity
design
development
misc
mobility
setup
tools
  
 
date: Thu, 6 Mar 2008 18:49:30 -0800,    group: microsoft.public.exchange.design        back       


Securing Exchange Server    
Hello,

We are a small company and we are looking to implement Exchange as our main 
messaging system.

I wanted to ask for your suggestions as to the best method of securing the 
Exchange. We have a Watchguard firewall with an embeded DMZ. Is the 
front-end server the only way to go? Are there any appliances that do the 
job of a front-end server, without the risk of it being hacked or brought 
down?

I'm a little weary of opening the firewall ports from past experience. I had 
previously forwarded ports to FTP and VPN servers, and they always got 
hacked or had rootkits dropped in. I cannot take that chance with the 
Exchange.

Thank you for your input.
date: Thu, 6 Mar 2008 18:49:30 -0800   author:   Tom Bombadil

Re: Securing Exchange Server    
I would put your Exchange Server behind your Firewall unless its an Exchange 
2007 Edge Server.  No need for FE Server in your setup unless there is 
something you have not mentioned in this setup.  Port forward SMTP and HTTPS 
to your Exchange Server.

-- 
John Oliver, Jr
MCSE, MCT, CCNA
Exchange MVP 2008
Microsoft Certified Partner


"Tom Bombadil"  wrote in message 
news:BB720DF5-A07E-4C90-B41A-DA8EF5AFACF2@microsoft.com...
> Hello,
>
> We are a small company and we are looking to implement Exchange as our 
> main messaging system.
>
> I wanted to ask for your suggestions as to the best method of securing the 
> Exchange. We have a Watchguard firewall with an embeded DMZ. Is the 
> front-end server the only way to go? Are there any appliances that do the 
> job of a front-end server, without the risk of it being hacked or brought 
> down?
>
> I'm a little weary of opening the firewall ports from past experience. I 
> had previously forwarded ports to FTP and VPN servers, and they always got 
> hacked or had rootkits dropped in. I cannot take that chance with the 
> Exchange.
>
> Thank you for your input.
date: Fri, 7 Mar 2008 01:46:11 -0500   author:   John Oliver, Jr. [MVP]

Re: Securing Exchange Server    
Hi John,

The only things I would add is that the server is a DC and it has a few 
other applications running on it. Also, I have done port forwarding in the 
past to FTP and VPN servers, and I always had rootkits and hacks dropped in 
them. I had to rebuild the VPN server a couple of times until we totally 
took it offline and boufght a Watchguard with VPN functionality.

Are you saying forwarding SMTP and HTTPS ports has been entirely safe in 
your professional experience? Am I just being paranoid about this? I can't 
help but feel very nervous about the idea of losing one of our 2 servers.

Thanks for your input.



"John Oliver, Jr. [MVP]"  wrote in message 
news:e3iDv7BgIHA.3352@TK2MSFTNGP04.phx.gbl...
>I would put your Exchange Server behind your Firewall unless its an 
>Exchange 2007 Edge Server.  No need for FE Server in your setup unless 
>there is something you have not mentioned in this setup.  Port forward SMTP 
>and HTTPS to your Exchange Server.
>
> -- 
> John Oliver, Jr
> MCSE, MCT, CCNA
> Exchange MVP 2008
> Microsoft Certified Partner
>
>
> "Tom Bombadil"  wrote in message 
> news:BB720DF5-A07E-4C90-B41A-DA8EF5AFACF2@microsoft.com...
>> Hello,
>>
>> We are a small company and we are looking to implement Exchange as our 
>> main messaging system.
>>
>> I wanted to ask for your suggestions as to the best method of securing 
>> the Exchange. We have a Watchguard firewall with an embeded DMZ. Is the 
>> front-end server the only way to go? Are there any appliances that do the 
>> job of a front-end server, without the risk of it being hacked or brought 
>> down?
>>
>> I'm a little weary of opening the firewall ports from past experience. I 
>> had previously forwarded ports to FTP and VPN servers, and they always 
>> got hacked or had rootkits dropped in. I cannot take that chance with the 
>> Exchange.
>>
>> Thank you for your input.
>
>
date: Fri, 7 Mar 2008 09:15:03 -0800   author:   Tom Bombadil

Re: Securing Exchange Server    
In article ,
 "Tom Bombadil"  wrote:

> Hi John,
> 
> The only things I would add is that the server is a DC and it has a few 
> other applications running on it. Also, I have done port forwarding in the 
> past to FTP and VPN servers, and I always had rootkits and hacks dropped in 
> them. I had to rebuild the VPN server a couple of times until we totally 
> took it offline and boufght a Watchguard with VPN functionality.
> 
> Are you saying forwarding SMTP and HTTPS ports has been entirely safe in 
> your professional experience? Am I just being paranoid about this? I can't 
> help but feel very nervous about the idea of losing one of our 2 servers.
> 
> Thanks for your input.

Tom, I'm coming late to this discussion, but I would consider port 
forwarding of TCP 25 and TCP 443 to be very safe, and I would recommend 
it without hesitation.

Cheers,
-Paul
date: Tue, 11 Mar 2008 15:10:46 -0400   author:   Paul Robichaux [MVP-Exchange]

Re: Securing Exchange Server    
Port forward SMTP and HTTPS.  If you want, you can send the SMTP through the 
proxy on watchguard.  I find going through a secure proxy or daemon a mixed 
bag though.  For certain versions of PIX, mailguard can do funny things.  A 
quirk specific to watchguard; if inbound email addresses have an apostrophe 
in them, you have to edit the incoming SMTP policy to allow them.


"Tom Bombadil"  wrote in message 
news:BB720DF5-A07E-4C90-B41A-DA8EF5AFACF2@microsoft.com...
> Hello,
>
> We are a small company and we are looking to implement Exchange as our 
> main messaging system.
>
> I wanted to ask for your suggestions as to the best method of securing the 
> Exchange. We have a Watchguard firewall with an embeded DMZ. Is the 
> front-end server the only way to go? Are there any appliances that do the 
> job of a front-end server, without the risk of it being hacked or brought 
> down?
>
> I'm a little weary of opening the firewall ports from past experience. I 
> had previously forwarded ports to FTP and VPN servers, and they always got 
> hacked or had rootkits dropped in. I cannot take that chance with the 
> Exchange.
>
> Thank you for your input.
date: Tue, 11 Mar 2008 12:34:46 -0700   author:   John Fullbright fjohn@donotspamnetappdotcom

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us