Originally Posted by simond |
2) For users to access outlook web access the server needs to be a front end server? therefore it should be on the dmz?
As Scott says - port forward the ports required for the web service (80). I'm not sure if web outlook uses SSL. If it does, you will need to forward port 443 too.
However, it does depend on your DMZ.
The use of the term DMZ has been muddied in the last few years. Many cheap router define a DMZ simply as an internal address to which all requests are forwarded. That less a DMZ and more a huge hole in your firewall (or the incomplete protection provided by NAT).
Traditionally, a secure network would have two firewalls. An outer one (often little more than a router with a set of firewall rules), and an inner one (a fully fledged firewall). The space between the two firewalls was the DMZ.
In the DMZ you'd put any servers that provided services to the internet.
The idea was that servers in the DMZ would have some protection provided by the outer firewall, but were expected to be secure themselves (fully patched and limited open connections). The system was designed so as to handle these servers becoming compromised. That is, even if a hacker got control of a server in the DMZ, they would still be blocked from the main network by the inner firewall.
However, managing two firewalls was often seen as excessively complicated and expensive. Therefore, a compromise was designed. The two firewalls were collapsed into one but this single firewall had separate connections to two (or more) internal networks. One the main network. The other the DMZ. The firewall could then be configured with different less stringent rules for the DMZ than for the main network. Also traffic between the DMZ and the main network would have to pass through the firewall and therefore could also have controlling rules applied. This is the set up that most decent modern firewalls provide.
The cheap router DMZ provides none of the security or features of a proper DMZ. It is in effect a port forwarding of all
services to an internal host PC. That PC then has to protect itself on all the ports that could be attacked. If it becomes compromised, the whole of your internal network is compromised because there is nothing between the compromised device and the rest of the network. In conclusion
Therefore, if you have a proper DMZ that is separated from your main network by a firewall, then putting a dedicated mail server in the DMZ makes a lot of sense (note the word dedicated. If the server is also your file server, then putting it in a DMZ isn't such a good idea). Firewalls that provide this facility have a separate DMZ port and allow you to set rules specifically for the DMZ.
If as I suspect, you do not have a proper DMZ, using port forwarding is a far better solution. With port forwarding only the specific required ports are forwarded, thereby limiting the potential pathway to your server and making it easier to secure.