DNS/AD access from DMZ

By mwoods269 ·
Hello all,

I just inherited a nightmare....I mean network that I have some questions about.

The first is in regards to an exchange server in the dmz. Our network is using private addressing for internal and all DMZ resources have public IP addresses. The exchange server primary dns points to an internal private IP/DNS server and it's secondary points to a DMZ DNS server with a public IP address.

My question is regarding best practice and possible security issues with this configuration. I have quite a few more questions to come.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

It's not a simple question

by Brenton Keegan In reply to DNS/AD access from DMZ

and thus the answer is not simple.

There are books and books on network security.
I'll give you a little bit to get you started.

The whole point of a DMZ is to have a defensive layer between the outside and your internal network, so having an exchange server in the DMZ (which I assume is acting as an SMTP server) that is also connected to the inside acting as an exchange server completely defeats the purpose of having a DMZ in the first place. What is done commonly is you have a separate SMTP server in the DMZ the sends stuff inside to the exchange server. You'll want a tight ACL regarding the communication between the DMZ and the internal network (again, without this there is not much point). Having a public facing exchange server is leaving you extremely vulnerable and if this exchange server is compromised they are on the inside... not a good situation. However if you have a public facing SMTP server that gets compromised they still have a way to go before they are on the inside to where all your data lives.

Collapse -

Exchange server use

by mwoods269 In reply to It's not a simple questio ...

Thanks for your reply. I understand the security behind having a DMZ and in the past we always had our Exchange server internal. Here is it in the DMZ and is only serving our interal users, no DMZ use at all.

I am thinking of giving it an internal address and bringing it inside. The only issue with that would be nothing to perform NAT.

Collapse -

Wow, that was a hack waiting to happen

by robo_dev In reply to Exchange server use

it is possible to deploy exchange securely in a SAZ, but you have to be careful about ACLs and also you must enable encrypted LDAP..but just taking it out the SAZ is a better option.

Collapse -


by mwoods269 In reply to Wow, that was a hack wait ...

What is a SAZ and what was a hack waiting to happen?

Collapse -


by robo_dev In reply to Huh?

A SAZ (Secure Access Zone) is another name for DMZ.

Putting a Windows box in a DMZ, unless it's really well hardened, is a big risk.

LDAP, by default, is not encrypted, and therefore a not-so-well-hardened Windows server in the SAZ (sorry DMZ), puts a big hole in your network defenses. Similarly, the DNS configuration you mention could result in some other issues, depending on the version/patch level of everything.

Related Discussions

Related Forums