Re: DMZ design - Exchange, SQL, & DCOM

["Michael Borkin" <borkin () netquest com>]

Mikael,

Thanks for the great response, it was extremely helpful and I appreciate
your taking the time to post it.  To answer your question first, I have been
doing some research into DCOM (on Microsoft's site) but it really hasn't
clicked in my head yet.  I will probably post something to explain it in
more depth once I can figure it out well enough to explain it.  However, I
do not think it will even be a problem if the SQL server is in the same DMZ
as the webserver.  My concern was based on a programmer telling me that DCOM
(Distributed Component Object Model) uses dynamic port allocation to
communicate between machines.  Since I was thinking that it would have to go
through the firewall, rather than just work within the DMZ, I thought it
would be an issue.

    <snip>
        I'd recommend placing a mail forwarder with content screening
        capabilities in a SEPARATE DMZ, and the Exchange server on
        the internal network.
    </snip>

I have to ask a stupid question of you though (I just can't help it... its
part of my nature), why do you recommend a seperate DMZ just for mail
forwarding?  Is it just an extra added layer of protection so that you can
packet filter specifically for SMTP and HTTP on each DMZ or is there some
more critical reason that I don't realize?

Thanks again,

Mike