Exchange Server in DMZ or LAN network

Exchange Server in DMZ or LAN network

Original page from https://www.alitajran.com/exchange-server-in-dmz-or-lan-network/

Do you need to place the Microsoft Exchange Server in DMZ or LAN network?
Do you want to know what the best practice is for Exchange in DMZ? In
this article, you will learn if you should place an Exchange Server in
DMZ or LAN network.

What is DMZ

In
computer security, a DMZ or demilitarized zone (sometimes referred to
as a perimeter network or screened subnet) is a physical or logical
subnetwork. It contains and exposes an organization’s external-facing
services to an untrusted, usually larger, network such as the Internet.
The purpose of a DMZ is to add an additional layer of security to an
organization’s local area network (LAN). An external network node can
access only what is exposed in DMZ, while the rest of the organization’s
network is firewalled. The DMZ functions as a small, isolated network
positioned between the Internet and the private network. If its design
is effective, it will allow the organization extra time to detect and
address breaches before they would further penetrate into the internal
networks.

Exchange Server in DMZ or LAN network

When installing Exchange Server, you can install one of the two roles:

  • Exchange Mailbox server role
  • Exchange Edge Transport server role

Every
Exchange role functions for a different purpose, if it’s a Mailbox role
or Edge Transport role. That’s why the best practice is to place the
Exchange Mailbox server in the LAN network. The best practice to place
the Exchange Edge Transport server is in DMZ network. Both of the
Exchange server roles need different network ports to get the mail flow
working.

Important:
Do not restrict the network traffic between internal Exchange servers.
This means between internal Exchange servers and internal Lync or Skype
for Business servers. Between internal Exchange servers and internal
Active Directory domain controllers in any and all types of topologies.
If you have firewalls or network devices that could potentially restrict
or alter this kind of network traffic, you need to configure rules that
allow free and unrestricted communication between these servers. Rules
that allow incoming and outgoing network traffic on any port, including
random RPC ports.

Exchange Mailbox server role in LAN

Microsoft recommends that you place the Exchange Mailbox server role in the LAN network.
Place it in the LAN network because the Exchange Mailbox server needs
communication to the Active Directory (AD). Most of the Exchange
information is stored in AD.

Don’t move the Exchange Mailbox
server to the DMZ network. If you do that, it will lose the
communication to the domain controllers on the private LAN. The Exchange
Mailbox server will not function. Keep the Exchange Mailbox server next
to your Domain Controllers in the LAN network.

Exchange server in dmz or lan - network ports required for mailbox

Network ports required for mail flow with Mailbox servers

It’s important to open the following ports if you have an Exchange Mailbox server.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Purpose                Ports             Source             Destination
——-                —–             ——             ———–
Inbound mail           25/TCP (SMTP)     Internet (any)     Mailbox server
 
Outbound mail          25/TCP (SMTP)     Mailbox server     Internet (any)
 
Outbound mail          25/TCP (SMTP)     Mailbox server     Internet (any)
(if proxied
through the
Front End
transport service)  
 
DNS for name           53/UDP,53/TCP     Mailbox server     DNS server
resolution of the      (DNS)
next mail hop*

*DNS resolution of the next mail hop is a fundamental part of mail flow
in any Exchange organization. Exchange servers that are responsible for
receiving inbound mail or delivering outbound mail must be able to
resolve both internal and external hostnames for proper mail routing.
And all internal Exchange servers must be able to resolve internal
hostnames for proper mail routing. There are many different ways to
design a DNS infrastructure, but the important result is to ensure name
resolution for the next hop is working properly for all of your Exchange
servers.

Exchange Edge Transport server role in DMZ

Microsoft recommends that you place the Exchange Edge Transport server in DMZ network. Place it in a perimeter network that’s outside of your organization’s internal Active Directory forest.

Exchange server in dmz or lan - network ports required for edge transport

Edge
Transport servers are almost always located in a perimeter network, so
it’s expected that you’ll restrict network traffic between the Edge
Transport server and the internet. Also, between the Edge Transport
server and your internal Exchange organization. These network ports are
described down below.

Network ports required for mail flow with Edge Transport servers

It’s important to open the following ports if you have an Exchange Edge Transport server.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Purpose                Ports             Source             Destination
——-                —–             ——             ———–                
Inbound mail –         25/TCP (SMTP)     Internet (any)     Edge Transport
Internet to Edge                                            server
Transport server
 
Inbound mail –         25/TCP (SMTP)     Edge Transport     Mailbox
Edge Transport                           server             servers in the
server to internal                                          subscribed Active
Exchange                                                    Directory site
organization
 
Outbound mail –        25/TCP (SMTP)     Mailbox servers    Edge Transport
Internal Exchange                        in the subscribed  servers
organization to                          Active Directory
Edge Transport                           site
server
 
Outbound mail –        25/TCP (SMTP)     Edge Transport     Internet (any)
Edge Transport                           server
server to internet
 
EdgeSync               50636/TCP         Mailbox servers    Edge Transport
synchronization        (secure LDAP)     in the subscribed  servers
                                         Active Directory
                                         site that
                                         participate in
                                         EdgeSync
                                         synchronization
 
DNS for name           53/UDP,53/TCP                        DNS server
resolution of the      (DNS)
next mail hop*

If you make any Exchange services available over the Internet, you need to set up an Exchange server in the DMZ. For example, if your Exchange server accepts inbound SMTP mail from the Internet, you must provide an SMTP connection to your Exchange server. Also, many companies place front-end Outlook Web Access (OWA) servers in the DMZ to let users access their mailboxes over a secure HTTP connection. If your organization requires news feeds (through Network News Transfer Protocol—NNTP), you might need an NNTP presence in your DMZ. Other services that might require an Exchange service in the DMZ include Instant Messaging (IM) services, conferencing services, and custom applications.

When you need to locate an Exchange server in the DMZ, you have several options for protecting the server. If you have a firewall in place, you might be able to locate the firewall proxy connections to your Exchange server inside the firewall so that the server isn’t directly exposed to the Internet. This approach is common for services such as SMTP. When you don’t have a proxy firewall, you need to set up some ACLs on the router that handles traffic to and from the Internet. Typically, the configuration on your Internet perimeter will have multiple zones that lead to a multitiered architecture. In such cases, you must limit inbound traffic to your Exchange servers to the specific services you want the servers to accept (e.g., SMTP, HTTP). Likewise, you must let only specified services travel to the Internet from your Exchange servers.

If you use standard management tools to administer and manage Exchange servers in the DMZ, you might need to implement special configurations. For example, when you locate OWA servers in the DMZ, you need to open TCP ports 80 (HTTP), 443 (Single Sockets Layer—SSL—port for HTTP), 389 (Lightweight Directory Access Protocol—LDAP), and 3268 (Global Catalog—GC) because OWA uses these ports to serve clients. However, to manage the OWA server from inside the firewall, you also need to open certain remote procedure call (RPC) ports. Management tools such as Exchange System Manager (ESM) won’t work unless you configure these ports and services to pass through the firewall.

Planning the connection and deployment of Exchange services in the DMZ can seem daunting. A good place to start is your Exchange Server documentation. Also, read the following Microsoft articles for more details about configuring Exchange services with firewalls.

*DNS resolution of the next mail hop is a fundamental part of mail flow
in any Exchange organization. Exchange servers that are responsible for
receiving inbound mail or delivering outbound mail must be able to
resolve both internal and external hostnames for proper mail routing.
And all internal Exchange servers must be able to resolve internal
hostnames for proper mail routing. There are many different ways to
design a DNS infrastructure, but the important result is to ensure name
resolution for the next hop is working properly for all of your Exchange
servers.

Conclusion

In this article, you did learn the best practice for placing an Exchange Server in DMZ or LAN network. The only Exchange role Microsoft will support in a DMZ is the Edge Transport role. Everything else has to be
in the internal network (LAN). Did you enjoy this article? Don’t forget to follow us and share this article.

Ports :

80 (HTTP),

443 (SSL)

389
(Lightweight Directory Access Protocol—LDAP),

3268 (Global
Catalog—GC)

(RPC)

Exchange System Manager (ESM)