A lot of confusion exists about placing Microsoft Exchange servers in a network demilitarized zone (DMZ). Questions range from whether you should place Exchange servers in the DMZ to how you configure such servers. This week, I discuss the reasons you might locate Exchange servers in the DMZ and some protective measures you need to take if you do.
If you make any Exchange services available over the Internet, you need to set up an Exchange server in the DMZ. For example, if your Exchange server accepts inbound SMTP mail from the Internet, you must provide an SMTP connection to your Exchange server. Also, many companies place front-end Outlook Web Access (OWA) servers in the DMZ to let users access their mailboxes over a secure HTTP connection. If your organization requires news feeds (through Network News Transfer Protocol—NNTP), you might need an NNTP presence in your DMZ. Other services that might require an Exchange service in the DMZ include Instant Messaging (IM) services, conferencing services, and custom applications.
When you need to locate an Exchange server in the DMZ, you have several options for protecting the server. If you have a firewall in place, you might be able to locate the firewall proxy connections to your Exchange server inside the firewall so that the server isn't directly exposed to the Internet. This approach is common for services such as SMTP. When you don't have a proxy firewall, you need to set up some ACLs on the router that handles traffic to and from the Internet. Typically, the configuration on your Internet perimeter will have multiple zones that lead to a multitiered architecture. In such cases, you must limit inbound traffic to your Exchange servers to the specific services you want the servers to accept (e.g., SMTP, HTTP). Likewise, you must let only specified services travel to the Internet from your Exchange servers.
If you use standard management tools to administer and manage Exchange servers in the DMZ, you might need to implement special configurations. For example, when you locate OWA servers in the DMZ, you need to open TCP ports 80 (HTTP), 443 (Single Sockets Layer—SSL—port for HTTP), 389 (Lightweight Directory Access Protocol—LDAP), and 3268 (Global Catalog—GC) because OWA uses these ports to serve clients. However, to manage the OWA server from inside the firewall, you also need to open certain remote procedure call (RPC) ports. Management tools such as Exchange System Manager (ESM) won't work unless you configure these ports and services to pass through the firewall.
Planning the connection and deployment of Exchange services in the DMZ can seem daunting. A good place to start is your Exchange Server documentation. Also, read the following Microsoft articles for more details about configuring Exchange services with firewalls.