Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: RE: [ActiveDir] Results of blocking outbound traffic for DC in the DMZ
Prev Next
You are not authorized to post a reply.

AuthorMessages
czcdctUser is Offline

Posts:7

09/24/2008 2:44 PM  
So you're worried that someone is going to climb through your firewall on 25/443 and hit your Exchange server and then wade on into your GCs?

One, well, ok, technically two words. ISA 2006. ISA can do some inspection to make sure that what's coming through actually looks like OWA/RPC-HTTPS-ActiveSync traffic rather than anything else shady looking.


________________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan [Ramon.Linan@gst.com]
Sent: Wednesday, September 24, 2008 10:11 AM
To: Active Directory Mailing List
Subject: RE: [ActiveDir] Results of blocking outbound traffic for DC in the DMZ

So, I am sorry, I said the DMZ but what I meant is the MS exchange is
going to sit on VLAN with internal IP address and NATed, still if
someones compromises MS exchange through any of the wholes in the
firewall that I have to make for MS Exchange, it will have access to a
DC, since MS Exchange requires to be in contact with a DC and GC.

What is the best practice?

Thanks

Ramon

-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B.
Smith
Sent: Wednesday, September 24, 2008 9:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Results of blocking outbound traffic for DC in
the DMZ

Best practice says to not put Exchange into a DMZ (with the sole
exception
of an Edge Transport server in Exchange 2007).

So...I guess my first question would be: why do you want to do this?

Regards,

Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP
My blog: http://TheEssentialExchange.com/blogs/michael
Link with me at: http://www.linkedin.com/in/theessentialexchange


-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Wednesday, September 24, 2008 9:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Results of blocking outbound traffic for DC in the
DMZ

Hi,

I want to place an Exchange 2003 server in the DMZ, I don't want any
traffic going from the DMZ to the internal network, or at least traffic
that originates in the DMZ.

Since Exchange 2003 does not support ADAM I was thinking on placing a DC
on the DMZ but not letting this DC start the replication, the only
traffic allow will be the one that start from internal network to the
DMZ, I am basically trying to force a RODC.

Can anyone anticipate problems with this idea?

Thanks in advance

Ramon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Delivered using Exchange Server 2007 SP1.

You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] Results of blocking outbound traffic for DC in the DMZ



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:rwrabinowitz
New TodayNew Today:1
New YesterdayNew Yesterday:1
User CountOverall:4273
People OnlinePeople Online:
VisitorsVisitors:287
MembersMembers:0
TotalTotal:287
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use