OWA in DMZ

Hello.

I'm trying to setup the OWA in the DMZ (As a front end server - exchange
2003). I do not have ISA and i know im going against standard, but for the
sake of argument, i want to put this server in DMZ.

Is there a way to setup the OWA in the DMZ so that it can talk to my
DNS/DHCP servers located in the inside network? Basically, the PIX firewall
has three interfaces: outside, insde and dmz. I've already setup the web
server, but it doesnt talk to the inside network, but just acts as its own
dns and iis server, but thing is from what i understand, il have to make the
owa talk to the inside server. I've already setup all the protocls needed on
the firewall for communication between the owa and email server, but anyway
the connection can be made? vpn perhaps through firewall?

Yes, create the rules and translations in the PIX.

"Maki" <(E-Mail Removed)> wrote in message
news:3351EB4E-5E6F-4140-958C-(E-Mail Removed)...
> Hello.
>
> I'm trying to setup the OWA in the DMZ (As a front end server - exchange
> 2003). I do not have ISA and i know im going against standard, but for the
> sake of argument, i want to put this server in DMZ.
>
> Is there a way to setup the OWA in the DMZ so that it can talk to my
> DNS/DHCP servers located in the inside network? Basically, the PIX
firewall
> has three interfaces: outside, insde and dmz. I've already setup the web
> server, but it doesnt talk to the inside network, but just acts as its own
> dns and iis server, but thing is from what i understand, il have to make
the
> owa talk to the inside server. I've already setup all the protocls needed
on
> the firewall for communication between the owa and email server, but
anyway
> the connection can be made? vpn perhaps through firewall?

Hey, thanks for reply.

Yes, il create translations and rules in PIX, but what im trying to
understand is the process (theory) behind it - how does the owa server in the
DMZ ask the DHCP server for IP address while the DHCP is in the internal
network? also what about DNS? if the internal network is 10.10.10.0 and the
DMZ is 172.16.16.0 how do they communicate within the DHCP / DNS lines?


"Neteng" wrote:

> Yes, create the rules and translations in the PIX.
>
> "Maki" <(E-Mail Removed)> wrote in message
> news:3351EB4E-5E6F-4140-958C-(E-Mail Removed)...
> > Hello.
> >
> > I'm trying to setup the OWA in the DMZ (As a front end server - exchange
> > 2003). I do not have ISA and i know im going against standard, but for the
> > sake of argument, i want to put this server in DMZ.
> >
> > Is there a way to setup the OWA in the DMZ so that it can talk to my
> > DNS/DHCP servers located in the inside network? Basically, the PIX
> firewall
> > has three interfaces: outside, insde and dmz. I've already setup the web
> > server, but it doesnt talk to the inside network, but just acts as its own
> > dns and iis server, but thing is from what i understand, il have to make
> the
> > owa talk to the inside server. I've already setup all the protocls needed
> on
> > the firewall for communication between the owa and email server, but
> anyway
> > the connection can be made? vpn perhaps through firewall?
>
>
>

DHCP will not work, you should use a static IP. Since you are looking for
DMZ to inside communication, you have two choices; route between them or do
like the outside interface and create NAT translations for the devices that
need to communicate. I suggest you use the latter. Think of the DMZ as
another outside interface. To receive email, you need create a static nat
and acl to allow traffic from anywhere to your email server on port 25. You
should have something like

static (inside,outside) tcp <outside IP> 25 <10.10.10.X> 25 netmask
255.255.255.255
access-list outside_2_inside permit tcp any host <outside IP> eq 25

The DMZ will be no different. Your address space in the DMZ is 172.16.16.0.
In the PIX you need to create a nat statement and an acl to allow traffic,
for example DNS.

Assumptions-
OWA Server IP: 172.16.16.5
Internal DNS IP: 10.10.10.15

static (inside,dmz) udp 172.16.16.100 53 10.10.10.15 53 netmask
255.255.255.255
**This statement makes the internal sever (10.10.10.15) look like
172.16.16.100 in the DMZ.
access-list dmz_2_inside permit udp host 172.16.16.5 host 172.16.16.100 eq
53
**This permits the communication between the servers on UDP 53.

The final step is to make your OWA servers DNS entry point to 172.16.16.100.

"Maki" <(E-Mail Removed)> wrote in message
news:FEADDB79-2C41-4D42-B7A6-(E-Mail Removed)...
> Hey, thanks for reply.
>
> Yes, il create translations and rules in PIX, but what im trying to
> understand is the process (theory) behind it - how does the owa server in
the
> DMZ ask the DHCP server for IP address while the DHCP is in the internal
> network? also what about DNS? if the internal network is 10.10.10.0 and
the
> DMZ is 172.16.16.0 how do they communicate within the DHCP / DNS lines?
>
>
> "Neteng" wrote:
>
> > Yes, create the rules and translations in the PIX.
> >
> > "Maki" <(E-Mail Removed)> wrote in message
> > news:3351EB4E-5E6F-4140-958C-(E-Mail Removed)...
> > > Hello.
> > >
> > > I'm trying to setup the OWA in the DMZ (As a front end server -
exchange
> > > 2003). I do not have ISA and i know im going against standard, but for
the
> > > sake of argument, i want to put this server in DMZ.
> > >
> > > Is there a way to setup the OWA in the DMZ so that it can talk to my
> > > DNS/DHCP servers located in the inside network? Basically, the PIX
> > firewall
> > > has three interfaces: outside, insde and dmz. I've already setup the
web
> > > server, but it doesnt talk to the inside network, but just acts as its
own
> > > dns and iis server, but thing is from what i understand, il have to
make
> > the
> > > owa talk to the inside server. I've already setup all the protocls
needed
> > on
> > > the firewall for communication between the owa and email server, but
> > anyway
> > > the connection can be made? vpn perhaps through firewall?
> >
> >
> >

Hi Neteng,

Sorry for not getting back earlier, but many, many thanks for explanation
below.

Just a couple of more questions, though:

1. The final point in your answer below where you say to make sure the OWA
server points to 172.16.16.100 (meaning in the TCP/IP properties in the DNS i
will enter this - OK, understood). However, does this mean that this will
basically help the OWA (as a front end) talk to the back end? (from what i
understand about this system, the front end will just be the entry door for
users, while the emails will always be sent to the back-end server).

2. For instance if the inside (internal network) domain of the company is
company.com, and then we got lets say our ad server to be ad.company.com, our
file server to be fileserver.company.com, etc (basically, i've joined all
computer to this domain).
Now, what about the DMZ servers? For instance, i've got a web server and i
just made the computer name www, the workgroup is company and the full
computer name is www.company.com (but i did not join the www to domain prior
to putting in DMZ) - is what i've done correct?

Basically this is where im coming from when i say i want to understand if
the internal network and dmz can communicate using same dhcp (well we found
out it cant) and dns, ie, if they can all be behind firewall and join the
same domain...

thanks again for everything...

cheers


"Neteng" wrote:

> DHCP will not work, you should use a static IP. Since you are looking for
> DMZ to inside communication, you have two choices; route between them or do
> like the outside interface and create NAT translations for the devices that
> need to communicate. I suggest you use the latter. Think of the DMZ as
> another outside interface. To receive email, you need create a static nat
> and acl to allow traffic from anywhere to your email server on port 25. You
> should have something like
>
> static (inside,outside) tcp <outside IP> 25 <10.10.10.X> 25 netmask
> 255.255.255.255
> access-list outside_2_inside permit tcp any host <outside IP> eq 25
>
> The DMZ will be no different. Your address space in the DMZ is 172.16.16.0.
> In the PIX you need to create a nat statement and an acl to allow traffic,
> for example DNS.
>
> Assumptions-
> OWA Server IP: 172.16.16.5
> Internal DNS IP: 10.10.10.15
>
> static (inside,dmz) udp 172.16.16.100 53 10.10.10.15 53 netmask
> 255.255.255.255
> **This statement makes the internal sever (10.10.10.15) look like
> 172.16.16.100 in the DMZ.
> access-list dmz_2_inside permit udp host 172.16.16.5 host 172.16.16.100 eq
> 53
> **This permits the communication between the servers on UDP 53.
>
> The final step is to make your OWA servers DNS entry point to 172.16.16.100.
>
> "Maki" <(E-Mail Removed)> wrote in message
> news:FEADDB79-2C41-4D42-B7A6-(E-Mail Removed)...
> > Hey, thanks for reply.
> >
> > Yes, il create translations and rules in PIX, but what im trying to
> > understand is the process (theory) behind it - how does the owa server in
> the
> > DMZ ask the DHCP server for IP address while the DHCP is in the internal
> > network? also what about DNS? if the internal network is 10.10.10.0 and
> the
> > DMZ is 172.16.16.0 how do they communicate within the DHCP / DNS lines?
> >
> >
> > "Neteng" wrote:
> >
> > > Yes, create the rules and translations in the PIX.
> > >
> > > "Maki" <(E-Mail Removed)> wrote in message
> > > news:3351EB4E-5E6F-4140-958C-(E-Mail Removed)...
> > > > Hello.
> > > >
> > > > I'm trying to setup the OWA in the DMZ (As a front end server -
> exchange
> > > > 2003). I do not have ISA and i know im going against standard, but for
> the
> > > > sake of argument, i want to put this server in DMZ.
> > > >
> > > > Is there a way to setup the OWA in the DMZ so that it can talk to my
> > > > DNS/DHCP servers located in the inside network? Basically, the PIX
> > > firewall
> > > > has three interfaces: outside, insde and dmz. I've already setup the
> web
> > > > server, but it doesnt talk to the inside network, but just acts as its
> own
> > > > dns and iis server, but thing is from what i understand, il have to
> make
> > > the
> > > > owa talk to the inside server. I've already setup all the protocls
> needed
> > > on
> > > > the firewall for communication between the owa and email server, but
> > > anyway
> > > > the connection can be made? vpn perhaps through firewall?
> > >
> > >
> > >
>
>
>

1. Yes
2. It's a security no-no to have a machine that's a member of a domain in
any area that's less secure than your private LAN. What you did looks
correct.

"Maki" <(E-Mail Removed)> wrote in message
news:124573AA-4D29-4277-B4AF-(E-Mail Removed)...
> Hi Neteng,
>
> Sorry for not getting back earlier, but many, many thanks for explanation
> below.
>
> Just a couple of more questions, though:
>
> 1. The final point in your answer below where you say to make sure the OWA
> server points to 172.16.16.100 (meaning in the TCP/IP properties in the
DNS i
> will enter this - OK, understood). However, does this mean that this will
> basically help the OWA (as a front end) talk to the back end? (from what i
> understand about this system, the front end will just be the entry door
for
> users, while the emails will always be sent to the back-end server).
>
> 2. For instance if the inside (internal network) domain of the company is
> company.com, and then we got lets say our ad server to be ad.company.com,
our
> file server to be fileserver.company.com, etc (basically, i've joined all
> computer to this domain).
> Now, what about the DMZ servers? For instance, i've got a web server and i
> just made the computer name www, the workgroup is company and the full
> computer name is www.company.com (but i did not join the www to domain
prior
> to putting in DMZ) - is what i've done correct?
>
> Basically this is where im coming from when i say i want to understand if
> the internal network and dmz can communicate using same dhcp (well we
found
> out it cant) and dns, ie, if they can all be behind firewall and join the
> same domain...
>
> thanks again for everything...
>
> cheers
>
>
> "Neteng" wrote:
>
> > DHCP will not work, you should use a static IP. Since you are looking
for
> > DMZ to inside communication, you have two choices; route between them or
do
> > like the outside interface and create NAT translations for the devices
that
> > need to communicate. I suggest you use the latter. Think of the DMZ as
> > another outside interface. To receive email, you need create a static
nat
> > and acl to allow traffic from anywhere to your email server on port 25.
You
> > should have something like
> >
> > static (inside,outside) tcp <outside IP> 25 <10.10.10.X> 25 netmask
> > 255.255.255.255
> > access-list outside_2_inside permit tcp any host <outside IP> eq 25
> >
> > The DMZ will be no different. Your address space in the DMZ is
172.16.16.0.
> > In the PIX you need to create a nat statement and an acl to allow
traffic,
> > for example DNS.
> >
> > Assumptions-
> > OWA Server IP: 172.16.16.5
> > Internal DNS IP: 10.10.10.15
> >
> > static (inside,dmz) udp 172.16.16.100 53 10.10.10.15 53 netmask
> > 255.255.255.255
> > **This statement makes the internal sever (10.10.10.15) look like
> > 172.16.16.100 in the DMZ.
> > access-list dmz_2_inside permit udp host 172.16.16.5 host 172.16.16.100
eq
> > 53
> > **This permits the communication between the servers on UDP 53.
> >
> > The final step is to make your OWA servers DNS entry point to
172.16.16.100.
> >
> > "Maki" <(E-Mail Removed)> wrote in message
> > news:FEADDB79-2C41-4D42-B7A6-(E-Mail Removed)...
> > > Hey, thanks for reply.
> > >
> > > Yes, il create translations and rules in PIX, but what im trying to
> > > understand is the process (theory) behind it - how does the owa server
in
> > the
> > > DMZ ask the DHCP server for IP address while the DHCP is in the
internal
> > > network? also what about DNS? if the internal network is 10.10.10.0
and
> > the
> > > DMZ is 172.16.16.0 how do they communicate within the DHCP / DNS
lines?
> > >
> > >
> > > "Neteng" wrote:
> > >
> > > > Yes, create the rules and translations in the PIX.
> > > >
> > > > "Maki" <(E-Mail Removed)> wrote in message
> > > > news:3351EB4E-5E6F-4140-958C-(E-Mail Removed)...
> > > > > Hello.
> > > > >
> > > > > I'm trying to setup the OWA in the DMZ (As a front end server -
> > exchange
> > > > > 2003). I do not have ISA and i know im going against standard, but
for
> > the
> > > > > sake of argument, i want to put this server in DMZ.
> > > > >
> > > > > Is there a way to setup the OWA in the DMZ so that it can talk to
my
> > > > > DNS/DHCP servers located in the inside network? Basically, the PIX
> > > > firewall
> > > > > has three interfaces: outside, insde and dmz. I've already setup
the
> > web
> > > > > server, but it doesnt talk to the inside network, but just acts as
its
> > own
> > > > > dns and iis server, but thing is from what i understand, il have
to
> > make
> > > > the
> > > > > owa talk to the inside server. I've already setup all the protocls
> > needed
> > > > on
> > > > > the firewall for communication between the owa and email server,
but
> > > > anyway
> > > > > the connection can be made? vpn perhaps through firewall?
> > > >
> > > >
> > > >
> >
> >
> >

Hi Neteng!

Hope all is well. Thanks for responding again.

Basically, I'm going back to the second question: what do i do with the OWA?
According to Microsoft I have to re-install whole of exchange then choose it
to be front end server.
Thing is when installing it asks for active domain controller, so i joined
it to inside domain. When i finish installation what is to be done? do i
dis-join and make the server part of workgroup like i did for www server?

Cheers for all the help btw.





"Neteng" wrote:

> 1. Yes
> 2. It's a security no-no to have a machine that's a member of a domain in
> any area that's less secure than your private LAN. What you did looks
> correct.
>
> "Maki" <(E-Mail Removed)> wrote in message
> news:124573AA-4D29-4277-B4AF-(E-Mail Removed)...
> > Hi Neteng,
> >
> > Sorry for not getting back earlier, but many, many thanks for explanation
> > below.
> >
> > Just a couple of more questions, though:
> >
> > 1. The final point in your answer below where you say to make sure the OWA
> > server points to 172.16.16.100 (meaning in the TCP/IP properties in the
> DNS i
> > will enter this - OK, understood). However, does this mean that this will
> > basically help the OWA (as a front end) talk to the back end? (from what i
> > understand about this system, the front end will just be the entry door
> for
> > users, while the emails will always be sent to the back-end server).
> >
> > 2. For instance if the inside (internal network) domain of the company is
> > company.com, and then we got lets say our ad server to be ad.company.com,
> our
> > file server to be fileserver.company.com, etc (basically, i've joined all
> > computer to this domain).
> > Now, what about the DMZ servers? For instance, i've got a web server and i
> > just made the computer name www, the workgroup is company and the full
> > computer name is www.company.com (but i did not join the www to domain
> prior
> > to putting in DMZ) - is what i've done correct?
> >
> > Basically this is where im coming from when i say i want to understand if
> > the internal network and dmz can communicate using same dhcp (well we
> found
> > out it cant) and dns, ie, if they can all be behind firewall and join the
> > same domain...
> >
> > thanks again for everything...
> >
> > cheers
> >
> >
> > "Neteng" wrote:
> >
> > > DHCP will not work, you should use a static IP. Since you are looking
> for
> > > DMZ to inside communication, you have two choices; route between them or
> do
> > > like the outside interface and create NAT translations for the devices
> that
> > > need to communicate. I suggest you use the latter. Think of the DMZ as
> > > another outside interface. To receive email, you need create a static
> nat
> > > and acl to allow traffic from anywhere to your email server on port 25.
> You
> > > should have something like
> > >
> > > static (inside,outside) tcp <outside IP> 25 <10.10.10.X> 25 netmask
> > > 255.255.255.255
> > > access-list outside_2_inside permit tcp any host <outside IP> eq 25
> > >
> > > The DMZ will be no different. Your address space in the DMZ is
> 172.16.16.0.
> > > In the PIX you need to create a nat statement and an acl to allow
> traffic,
> > > for example DNS.
> > >
> > > Assumptions-
> > > OWA Server IP: 172.16.16.5
> > > Internal DNS IP: 10.10.10.15
> > >
> > > static (inside,dmz) udp 172.16.16.100 53 10.10.10.15 53 netmask
> > > 255.255.255.255
> > > **This statement makes the internal sever (10.10.10.15) look like
> > > 172.16.16.100 in the DMZ.
> > > access-list dmz_2_inside permit udp host 172.16.16.5 host 172.16.16.100
> eq
> > > 53
> > > **This permits the communication between the servers on UDP 53.
> > >
> > > The final step is to make your OWA servers DNS entry point to
> 172.16.16.100.
> > >
> > > "Maki" <(E-Mail Removed)> wrote in message
> > > news:FEADDB79-2C41-4D42-B7A6-(E-Mail Removed)...
> > > > Hey, thanks for reply.
> > > >
> > > > Yes, il create translations and rules in PIX, but what im trying to
> > > > understand is the process (theory) behind it - how does the owa server
> in
> > > the
> > > > DMZ ask the DHCP server for IP address while the DHCP is in the
> internal
> > > > network? also what about DNS? if the internal network is 10.10.10.0
> and
> > > the
> > > > DMZ is 172.16.16.0 how do they communicate within the DHCP / DNS
> lines?
> > > >
> > > >
> > > > "Neteng" wrote:
> > > >
> > > > > Yes, create the rules and translations in the PIX.
> > > > >
> > > > > "Maki" <(E-Mail Removed)> wrote in message
> > > > > news:3351EB4E-5E6F-4140-958C-(E-Mail Removed)...
> > > > > > Hello.
> > > > > >
> > > > > > I'm trying to setup the OWA in the DMZ (As a front end server -
> > > exchange
> > > > > > 2003). I do not have ISA and i know im going against standard, but
> for
> > > the
> > > > > > sake of argument, i want to put this server in DMZ.
> > > > > >
> > > > > > Is there a way to setup the OWA in the DMZ so that it can talk to
> my
> > > > > > DNS/DHCP servers located in the inside network? Basically, the PIX
> > > > > firewall
> > > > > > has three interfaces: outside, insde and dmz. I've already setup
> the
> > > web
> > > > > > server, but it doesnt talk to the inside network, but just acts as
> its
> > > own
> > > > > > dns and iis server, but thing is from what i understand, il have
> to
> > > make
> > > > > the
> > > > > > owa talk to the inside server. I've already setup all the protocls
> > > needed
> > > > > on
> > > > > > the firewall for communication between the owa and email server,
> but
> > > > > anyway
> > > > > > the connection can be made? vpn perhaps through firewall?
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>