Internet facing Exchange 2010?
#1
Scooby Regular
Thread Starter
Join Date: Feb 2004
Location: High Wycombe
Posts: 3,763
Likes: 0
Received 0 Likes
on
0 Posts
Internet facing Exchange 2010?
Hi All,
Just had the joyous task of migrating from Exchange 2003 (on 2000 server) > 2010 (on 2008R2).
Back in the day when I last looked at this, it wasn't sensible to have a Windows box facing the web.
We got round this by using a pop3 connector.
Now, I'm thinking of having the mail redirected through our firewall to the server directly. Is this a smart idea?
Additionally I'm thinking about setting up OWA so that it is accessible to our users. Is this a smart move security wise?
We don't have the resources to have another front end server to handle the mail redirects - so additional machines are not an option.
Thanks in advance
J
Just had the joyous task of migrating from Exchange 2003 (on 2000 server) > 2010 (on 2008R2).
Back in the day when I last looked at this, it wasn't sensible to have a Windows box facing the web.
We got round this by using a pop3 connector.
Now, I'm thinking of having the mail redirected through our firewall to the server directly. Is this a smart idea?
Additionally I'm thinking about setting up OWA so that it is accessible to our users. Is this a smart move security wise?
We don't have the resources to have another front end server to handle the mail redirects - so additional machines are not an option.
Thanks in advance
J
#2
Scooby Regular
iTrader: (3)
Join Date: Dec 1999
Location: UK
Posts: 13,274
Likes: 0
Received 0 Likes
on
0 Posts
Most people will have SMTP traffic coming from the internet directly to their Exchange server. Ensure you are only allowing SMTP traffic in!
IMHO this is OK, but ideally I would relay the traffic via some sort of scanning solution, whether it's an SMTP relay internally to scan for viruses, spam, etc, or via third party hosted solution such as Websense, Messagelab, etc.
Although I understand if you don't have the budget for this type of solution, but think of the admin headache and budgeting for a larger Exchange server, just to cope with the spam!
Again, I know plenty of companies who open up OWA, some without an SSL certificate! Personally to secure the OWA traffic, I would look at one of two solutions, either ISA/TMG server with an SSL certificate to reverse proxy the connection into your network. That way the connection from the internet is held on the ISA/TMG server, and the server then connects with the Exchange server preventing a direct connection from the internet to your Exchange server.
The other way is to use an SSL VPN solution, where again you reverse proxy the communication and also allow other applications to be securely delivered to your users, such as intranet, Sharepoint, file access, etc.
Forgot to mention, I'm by no way an Exchange expert, but I work with network security solutions at a distribution level, so I speak a fair number of resellers regarding their customers setups!
IMHO this is OK, but ideally I would relay the traffic via some sort of scanning solution, whether it's an SMTP relay internally to scan for viruses, spam, etc, or via third party hosted solution such as Websense, Messagelab, etc.
Although I understand if you don't have the budget for this type of solution, but think of the admin headache and budgeting for a larger Exchange server, just to cope with the spam!
Again, I know plenty of companies who open up OWA, some without an SSL certificate! Personally to secure the OWA traffic, I would look at one of two solutions, either ISA/TMG server with an SSL certificate to reverse proxy the connection into your network. That way the connection from the internet is held on the ISA/TMG server, and the server then connects with the Exchange server preventing a direct connection from the internet to your Exchange server.
The other way is to use an SSL VPN solution, where again you reverse proxy the communication and also allow other applications to be securely delivered to your users, such as intranet, Sharepoint, file access, etc.
Forgot to mention, I'm by no way an Exchange expert, but I work with network security solutions at a distribution level, so I speak a fair number of resellers regarding their customers setups!
Last edited by Andy Tang; 10 August 2010 at 02:14 PM.
#3
Scooby Regular
Thread Starter
Join Date: Feb 2004
Location: High Wycombe
Posts: 3,763
Likes: 0
Received 0 Likes
on
0 Posts
Cheers Andy.
My gosh the hosted services aren't cheap.
For our use - works out to be over a grand per annum.
I've got the pop3 connector working in the meantime.
I'll persuade people to do OWA over VPN - got to be the best way interms of cost (and my skill level!).
My gosh the hosted services aren't cheap.
For our use - works out to be over a grand per annum.
I've got the pop3 connector working in the meantime.
I'll persuade people to do OWA over VPN - got to be the best way interms of cost (and my skill level!).
Last edited by BlkKnight; 11 August 2010 at 04:08 PM.
#4
Scooby Regular
iTrader: (3)
Join Date: Dec 1999
Location: UK
Posts: 13,274
Likes: 0
Received 0 Likes
on
0 Posts
I know Websense is £14 per seat per year, but also that is software, hardware and support you don't need to provide to the solution! I'm sure a deal could be had if it were end of month/quarter!
Thread
Thread Starter
Forum
Replies
Last Post