IT Share NVP -ViettechgroupVN-Phuong Nguyen blog Viettechgroup.vn | Share make us stronger Knowledge is Sharing Viettechgroup- Sharing Make Us Stronger-Kiến thức CNTT là sự chia sẻ- NVP-Chia sẻ làm chúng ta mạnh hơn-Viettechgroup.vn Viettechgroup.com.vn| ITShareNVP Channel | Phương Nguyễn | Phuong Nguyen Blog| Lưu trữ kiến thức chia sẽ kinh nghiệm CNTT | Phương Nguyễn

Exchange Server in DMZ or LAN network

0 2,213

Do you need to place the Microsoft Exchange Server in DMZ or LAN network? Do you want to know what the best practice is for Exchange in DMZ? In this article, you will learn if you should place an Exchange Server in DMZ or LAN network.

What is DMZ

In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork. It contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN). An external network node can access only what is exposed in DMZ, while the rest of the organization’s network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network. If its design is effective, it will allow the organization extra time to detect and address breaches before they would further penetrate into the internal networks.

Exchange Server in DMZ or LAN network

When installing Exchange Server, you can install one of the two roles:

  • Exchange Mailbox server role
  • Exchange Edge Transport server role

Every Exchange role functions for a different purpose, if it’s a Mailbox role or Edge Transport role. That’s why the best practice is to place the Exchange Mailbox server in the LAN network. The best practice to place the Exchange Edge Transport server is in DMZ network. Both of the Exchange server roles need different network ports to get the mail flow working.

Important: Do not restrict the network traffic between internal Exchange servers. This means between internal Exchange servers and internal Lync or Skype for Business servers. Between internal Exchange servers and internal Active Directory domain controllers in any and all types of topologies. If you have firewalls or network devices that could potentially restrict or alter this kind of network traffic, you need to configure rules that allow free and unrestricted communication between these servers. Rules that allow incoming and outgoing network traffic on any port, including random RPC ports.

Exchange Mailbox server role in LAN

Microsoft recommends that you place the Exchange Mailbox server role in the LAN network. Place it in the LAN network because the Exchange Mailbox server needs communication to the Active Directory (AD). Most of the Exchange information is stored in AD.

Don’t move the Exchange Mailbox server to the DMZ network. If you do that, it will lose the communication to the domain controllers on the private LAN. The Exchange Mailbox server will not function. Keep the Exchange Mailbox server next to your Domain Controllers in the LAN network.

Network ports required for mail flow with Mailbox servers

It’s important to open the following ports if you have an Exchange Mailbox server.

Purpose                Ports             Source             Destination
-------	               -----             ------             -----------
Inbound mail           25/TCP (SMTP)     Internet (any)     Mailbox server

Outbound mail          25/TCP (SMTP)     Mailbox server     Internet (any)

Outbound mail          25/TCP (SMTP)     Mailbox server     Internet (any)
(if proxied 
through the 
Front End 
transport service)  

DNS for name           53/UDP,53/TCP     Mailbox server     DNS server
resolution of the      (DNS)
next mail hop*

*DNS resolution of the next mail hop is a fundamental part of mail flow in any Exchange organization. Exchange servers that are responsible for receiving inbound mail or delivering outbound mail must be able to resolve both internal and external hostnames for proper mail routing. And all internal Exchange servers must be able to resolve internal hostnames for proper mail routing. There are many different ways to design a DNS infrastructure, but the important result is to ensure name resolution for the next hop is working properly for all of your Exchange servers.

Exchange Edge Transport server role in DMZ

Microsoft recommends that you place the Exchange Edge Transport server in DMZ network. Place it in a perimeter network that’s outside of your organization’s internal Active Directory forest.

Edge Transport servers are almost always located in a perimeter network, so it’s expected that you’ll restrict network traffic between the Edge Transport server and the internet. Also, between the Edge Transport server and your internal Exchange organization. These network ports are described down below.

Network ports required for mail flow with Edge Transport servers

It’s important to open the following ports if you have an Exchange Edge Transport server.

Purpose                Ports             Source             Destination
-------                -----             ------             -----------                 
Inbound mail -         25/TCP (SMTP)     Internet (any)     Edge Transport 
Internet to Edge                                            server
Transport server

Inbound mail -         25/TCP (SMTP)     Edge Transport     Mailbox
Edge Transport                           server             servers in the
server to internal                                          subscribed Active 
Exchange                                                    Directory site
organization

Outbound mail -        25/TCP (SMTP)     Mailbox servers    Edge Transport 
Internal Exchange                        in the subscribed  servers
organization to                          Active Directory
Edge Transport                           site
server

Outbound mail -        25/TCP (SMTP)     Edge Transport     Internet (any)
Edge Transport                           server
server to internet

EdgeSync               50636/TCP         Mailbox servers    Edge Transport 
synchronization        (secure LDAP)     in the subscribed  servers
                                         Active Directory 
                                         site that 
                                         participate in
                                         EdgeSync 
                                         synchronization

DNS for name           53/UDP,53/TCP                        DNS server
resolution of the      (DNS)
next mail hop*

*DNS resolution of the next mail hop is a fundamental part of mail flow in any Exchange organization. Exchange servers that are responsible for receiving inbound mail or delivering outbound mail must be able to resolve both internal and external hostnames for proper mail routing. And all internal Exchange servers must be able to resolve internal hostnames for proper mail routing. There are many different ways to design a DNS infrastructure, but the important result is to ensure name resolution for the next hop is working properly for all of your Exchange servers.

Conclusion

In this article, you did learn the best practice for placing an Exchange Server in DMZ or LAN network. The only Exchange role Microsoft will support in a DMZ is the Edge Transport role. Everything else has to be in the internal network (LAN). Did you enjoy this article?