Grogi Posted February 9, 2010 Share Posted February 9, 2010 I have an option to put Exchange with public IP address which is pretty unsafe for me. I would be good for me to put it behind router/firewall and to port forward ports. Which is good practice? If I set it to private IP address (LAN) I will need to port forward ports 25 (SMTP), 443 (HTTPS) and what else? For ppl outside LAN I would prefer to use RPC over HTTPS, in that case they don't need additional ports. Thanks! Link to comment Share on other sites More sharing options...
Garry Posted February 9, 2010 Share Posted February 9, 2010 To make it work you only need to forward port 25, for RPC over HTTP then yes, 443 too. If you're running a large exchange environment or you're doing this for business you might want to look at an e-mail security appliance such as the Sophos ES1000. These sit between your router and exchange, so nothing connects directly from the Internet to your Exchange server. They scan for viruses, spam or other malware too and take the load off your exchange box. Just something for you to consider. Link to comment Share on other sites More sharing options...
Grogi Posted February 10, 2010 Author Share Posted February 10, 2010 Thanks, I have router/firewall distro already and mail gateway which scan spam...This will be small evironment, <200 users. Link to comment Share on other sites More sharing options...
+LogicalApex MVC Posted February 10, 2010 MVC Share Posted February 10, 2010 Might also be good to know what version of Exchange you're setting up. If it is Exchange 2007 or later you should have your EDGE server out on the perimeter network surrounded by firewalls on both sides. That is the best practice configuration... Link to comment Share on other sites More sharing options...
Garry Posted February 10, 2010 Share Posted February 10, 2010 That looks ... expensive. :) Link to comment Share on other sites More sharing options...
+LogicalApex MVC Posted February 10, 2010 MVC Share Posted February 10, 2010 That looks ... expensive. :) Not really. The Exchange 2010 (and 2007) Edge server role is included in the license for the Exchange server itself. So it wouldn't cost him anything to add the Edge server to the topology as he is supposed to do. He can run all the other roles, HUB Transport; Client Access Server; etc, on the same server if he network is small enough. http://www.microsoft.com/exchange/2010/en/us/Pricing.aspx Link to comment Share on other sites More sharing options...
Grogi Posted February 12, 2010 Author Share Posted February 12, 2010 Thank you. I haven't considered EDGE server as an option but certanly I will do it in the future. Licenses are covered with EXchange (I'm not sure for standard version), however I still need server 2003-2008 licencse, AV and anti-spam license. I'll keep mu open-souce gateway for now, but, like I said, I will integrate EDGE. Link to comment Share on other sites More sharing options...
+LogicalApex MVC Posted February 12, 2010 MVC Share Posted February 12, 2010 Thank you. I haven't considered EDGE server as an option but certanly I will do it in the future. Licenses are covered with EXchange (I'm not sure for standard version), however I still need server 2003-2008 licencse, AV and anti-spam license. I'll keep mu open-souce gateway for now, but, like I said, I will integrate EDGE. Glad you will consider adding edge in the future. The biggest advantage to the EDGE server is its safety net. The server doesn't have to be joined to your Active Directory domain so your Internet facing server is unable to be used to steal any information. It doesn't really do good Spam protection AV protection is only added via MS Forefront for Exchange. The new 2010 version is finally a viable anti-spam solution. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 12, 2010 Veteran Share Posted February 12, 2010 My opinion, one to one nat open the ports that you need, and have an appliance for antispam/virus mail scanning. This way your equipment is still behind your firewall, answers on whatever outside IP you give it and only has the ports needed for it to function. Have a Client Access server for your OWA requests, have a DB server for your main exchange DB. It would look something like this: firewall------spam appliance-----client access server (owa)------Exchange DB server All port 25 from outside IP will go to the Spam appliance, All 443 traffic (either another one to one NAT or a PAT from another IP that you have internally) will go to the OWA client access server, Exchange DB isn't touched by the outside. If you wanted to you could even put the spam appliance on the outside and let that get hit, but there is no need for that IMO with a one to one NAT. Link to comment Share on other sites More sharing options...
Grogi Posted February 14, 2010 Author Share Posted February 14, 2010 Can Client Access Server be on same server as database server? I was asuming that basic Exchange config is woth OWA included, and, if needed, OWA can be separated to other server. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 14, 2010 Veteran Share Posted February 14, 2010 Yes it can be on the same server and normal in a default config. It is when you get into Clustering that it has to be on a different server from a Clustered database. But you could separate the database from the Client Access Server so that the database can be on a server that is not on the outside or the outside has direct access to. You should do this if planning on implementing Outlook Anywhere/Outlook Active Sync, as the server will be put under heavy load with lots of devices accessing it vs just your internal lan and a few web hits. Your phones will constantly be hitting Active Sync, and if you have a lot of remote users that do not vpn into the network, each of those users will hit Outlook Anywhere. Link to comment Share on other sites More sharing options...
Recommended Posts