RE: Exchange Questions

[Russ <Russ.Cooper () rc on ca>]

Rex rote;
> If I was setting up a DMZ, using Firewall-1, what advantage would
> there be if I put my Exchange server & Email connector outon the
> DMZ?

Why do you want it in your DMZ in the first place? Are you trying to do
DirSync's with other offices across the 'net? Do you want to allow
clients to use RPC connections to it from across the 'net?

Given Exchange Server's lack of exploitable SMTP services (other than
relaying which can be controlled), it would make more sense to me to put
your Exchange Server behind your FW-1 box and avoid having to secure all
those others NT thingies that you'd end up leaving dangling in your DMZ.

The only time you run into problems with NT boxen and Firewalls, things
that might encourage you/force you to put it in your DMZ, typically is
when you need to do NetBIOS crappola across the open wilds of the
Internet. Since this, very much, is a thing you want to avoid like the
plague, I'd focus more on that than anything else.

Using SecuRemote and FW-1<->FW-1 VPNs should avoid any NetBIOS left
lingering in the wind if you need to do it, and Exchange Server RPC
stuff can be mandated to specific ports if VPNs are out.

Cheers,
Russ - NTBugtraq Editor