On 2004-11-05 14:49:02 -0500, "=?Utf-8?B?SG91ZGluaQ==?="
<(E-Mail Removed)> said:
> Greetings,
>
> I'm going to be moving to Exchange 2003 and will be implementing a
> front-end server that hosts our OWA site and will route SMTP traffic.
> With this change I'll have to host the front-end server on our DMZ
> segment. What I'm looking to do is enable IPSEC between the Exchange
> front-end server, the back-end server and the domain controller which
> will also have DNS on it.
> I would prefer to do it this way so that only IPSEC ports must be
> opened on the PIX firewall. I'm just wondering what the specifics are
> to configuring this on Windows 2003 and if it's even feasible???
If I'm not mistaken, using IPSec in transport mode means that you still
have to open the application-specific TCP ports, but that the TCP
payloads are IPSec-encrypted. (I'll be the first to admit that I could
very well be mistaken.) This means you'll still have to open all the
various TCP/UDP ports (25, 80, 88, 110, 143, 389, 443, 3268, etc.)
between the front-end server in the DMZ and the Exchange back-end
server and Active DIrectory DCs. However, even though the ports will
need to be open, the hosts will require IPSec encryption for that
traffic.
Note that you'll need to disable NAT (or perform static network NAT)
between the DMZ and the private network to avoid interfering with IPSec.
As for the IPSec, there are a variety of resources on the Web,
including many from Microsoft, that describe the specifics of the IPSec
policies that you would need to secure your front-end/back-end/DC
traffic.
HTH.
--
Scott Lowe
|
Similar Threads
Linear Mode
