On Fri, 12 Jan 2007 16:02:10 -0700, "gs" <(E-Mail Removed)> wrote:
>thank you very much, Mark!
>
>As for answer for question 2,
> Should web server and ftp server be physically different from the Exchange
>server box?
Ideally, yes.
> if so, is VM good enough to handle for the small number of users?
> I suspect less than 10 users email total , likely only 4 at any given time,
> less then 5 FTP user, likely only 2 simultaneous users and likely off hour
>
VM would probably be ok, but it's all down to your traffic.
>3. so external HTTPS traffic should also be firewalled, right?
Everything should be behind a firewall and you will allow TCP 443
through to the Exchang server.
>
>
>
>"Mark Arnold [MVP]" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> On Fri, 12 Jan 2007 10:49:55 -0700, "gs" <(E-Mail Removed)> wrote:
>>
>>>I have some question on providing web mail access to an internal exchange
>>>server and network isolation aspect of the web access and FTP.
>>>
>>>
>>>
>>>I will first go over the physical environment, desired result and finally
>>>the questions
>>>
>>> 1.. environment
>>> 1.. 1 Cisco 1811/k9 box with dual wan connection for internal staff (6
>>>to 8 person) use to access internet and RDP from outside
>>> 2.. Another router with dual wan probably LinkSys can be available for
>>>access by external contractors (about 4 to 15) to ftp, webmail somehow
>>>provided directly or indirectly by Exchange server
>>> 3.. Exchange server and files server boxes are Intel Xenon 3Ghz dual
>>>core 667MHZ ACT
>>> 4.. Exchange server pulls mail down from an email ISP via pop3 and
>>> send
>>>mail via SMTP to ISP
>>> i. 3
>>>SMTP gateway available: 1 from email ISP, 2 from Internet provider to the
>>>Cisco box
>>>
>>> ii. Can
>>>have two NICs if needed
>>>
>>> iii. Can
>>>server FTP to contractors if that is best way
>>>
>>> iv. There
>>>will be an email filter server/appliance between the Cisco and Exchange
>>>server
>>>
>>>
>>>
>>> 2.. Desired result
>>> 1.. Separate IP for public access apart from staff access
>>> 2.. Route NDR report through second router
>>> 3.. Route other outgoing email via Cisco router
>>>
>>>
>>> 3.. Questions
>>> 1.. What is the best way implement web access to exchange server from
>>>the internet?
>>
>> Allow the firewall to pass TCP443 to the Exchange Server and configure
>> Form Based Authentication on the server.
>>
>>> 2.. What is the best way to implement the network so there is
>>> isolation
>>>of web and FTP traffic from internal network?
>>
>> There is no right way or wrong way. You need to sit down yourself and
>> work it out in a sensible manner. The internal users need to be on the
>> same segment as the Exchange server and the file server. If you have a
>> web server you can put that into a DMZ if you see fit with the
>> equipment.
>>
>>
>>> 3.. Should exchange be on separate network from the file server and
>>>workstations?
>>
>> No. The users, the Exchange and the DC should be on the same network
>> and that network should be firewalled from both the Internet and also
>> any external facing HTTP (TCP 80) web sites that you have.
>>
>>> i. If
>>> so
>>>how to achieve fail over duty for the file server and DC if ever needed
>>>
>>>
>>>The number of users involved is rather small although the 6 to 8 internal
>>>staff members are heavy email users dealing with about a couple of
>>>thousands
>>>email a day
>>>
>>
>
|
Similar Threads
Linear Mode
