General discussion

Locked

EX5.5 behind FW and Proxy Server on DMZ

By wleodbd ·
Is there a way that I can establish communication between my exchange server behind FW and a proxy server on DMZ so that emails will get hit with proxy server first before it get into Exchange email server behind FW?
Here is the sistuation that I have encoutered:
I don't have problem to make
the EX5.5 working if I map one to one thru FW ( suppose EX5.5 has a private
IP address which maps to a public IP address). However, this is unsecure,
isn't it? I like to put a proxy server on the auxiliary port of the FW. (As
you know, Velociraptor has 4 port, one for the outside, one for the inside,
the other two are option ones).
If I put EX5.5 (192.168.1.16) behind the FW with the network of 192.168.1.0,
proxy server (192.168.3.2) on the extra Ethernet port with the network of
192.168.3.0, how do I enable the communication between EX5.5 server and
proxy server?
I want all the email traffic from the outside to get hit with the proxy
server first (by the way, proxy server has 2 Ethernet card - one for the
internet with a public IP address 65.200.192.55, the other card connects
directly to the extra port of the FW (192.168.3.1) with the IP address
192.168.3.2. From the proxy server, I can control pop3 or smtp and allow it
to get thru EX5.5 email server.
As of right now, I can't ping proxy server from EX5.5 server even though I
did set up the rule for these two server. My purpose for setting these up
because I want the EX5.5 to be secured. Emails should hit proxy server first
on DMZ before they get into EX5.5 server. I do have problem (rules,
redirect...etc) which I don't know yet. How do I make the two see each other
with certain protocols such as pop3, smtp...etc?
Can you please give me some help?

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

EX5.5 behind FW and Proxy Server on DMZ

by mebudman In reply to EX5.5 behind FW and Proxy ...

The general rule with firewalls in never have a direct 'hole' from the external network into your internal network. Make any port that must enter your internal network enter from a DMZ area. The DMZ is a secure area outside your internal network, but not on the external network. There is no magic of having a proxy server in the DMZ.
That being said.

Setup an exchange server in the DMZ that only handles inbound SMTP. It does not need to have any mailboxes other than the one administrative mailbox. The DMZ should hold one NT DOMAIN that is not associated with your internal domain, other than the exchange service account you create needs to be the same name and password. Create the DMZ exchange server so it is in the same Organization, then you would need to open the port for a site connector (this is configurable for you) from your DMZ mail server to your internal mail server. SMTP inbound stops at your DMZ server, and any emails are transferred inside over the site connector, configure your internal email server to send SMTP out directly. I have designed three of theses setups before and it works very well. You only have 1 port open inbound to the DMZ from the outside, (1-3) ports open from the DMZ server to the inside server and 1 port outbound from the internal mail server. No rules to remember, no trying to get proxy services to work properly. Let your firewall manage all the hard stuff.
Email me if you want the full details, but the outline above should get you started on a more robust method, easier to manage solution.

Collapse -

EX5.5 behind FW and Proxy Server on DMZ

by wleodbd In reply to EX5.5 behind FW and Proxy ...

Thanks for all your help, Jeff.

Collapse -

EX5.5 behind FW and Proxy Server on DMZ

by wleodbd In reply to EX5.5 behind FW and Proxy ...

This question was closed by the author

Back to Security Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums