OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ronald Eakins (reakinsHERAEUSMTD.COM)
Date: Fri Apr 27 2001 - 17:35:42 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This appears to be overkill. Why install a second exchange server, or put
    the exchange server outside the firewall at all?

    An smtp forwarder which could include antivirus software like McAfees
    WebSeild SMTP (the whole thing in one package - smtp forwarder and antivirus
    software) can sit outside in the DMZ and forward the mail to your Exchange
    box. The only open port you need is 25 for the WebShield or you can specify
    it to send to a more obscure port of your choosing. Set your MX record to
    the outside world to the SMTP forwarder, and email away. This prevents you
    from opening ports 135, etc and there need be no user names/passwords on the
    smtp server whatsoever that coincide to any thing in your real world
    internal net.

    All the authentication will stay on the inside!

    BTW, Microsoft says (if I recall correctly) not to change the Domain of an
    installed exchange server, and Exchange needs to be on a PDC or BDC. Last
    time I tried to install it on a normal server, it failed miserably with a
    "no, no, no" message related to this.

    Ron

    -----Original Message-----
    From: Brian Cervenka [mailto:brianBE-BEE.COM]
    Sent: Wednesday, April 25, 2001 2:52 PM
    To: FOCUS-MSSECURITYFOCUS.COM
    Subject: Domain questions

    I have an NT domain with ~30 desktop users and a box running as PDC and also
    running Exchange 5.5.

    In order to facilitate future expansion, I am adding two separate machines
    to become PDC/BDC, and let the Exchange box just do exchange. I would like
    to at the same time, create a new domain from scratch and make new
    accounts/groups for everyone.
    I have the following questions:

    - Will it be possible to have the Exchange box in the old domain 'A' and the
    real network in the new domain 'B'?
      (I realize I would have to go through and change the 'Primary NT Account'
    for each user)
    - Will there need to be some sort of trust relationship between the new PDC
    and the Exchange box?
    - Will all the user mailboxes survive this change? (I don't see why not, but
    maybe I'm missing something...)

    If I want to put a firewall between the users and the exchange box, do I
    just allow udp/137 and udp/138 between the internal net and the exchange
    box? (There would be a DMZ1 with the real net servers, and a *nix box
    forwarding external stuff to the Exchange box which is in a DMZ2). I guess I
    would need to have the exchange box point to an internal WINS box? Will this
    allow the standard NT authentication exchange normally uses?