Web, Exchange Server Behind Hardware Firewall

Leythos,

Thanks for your reponse . My web server/exchange server is sitting outside our corporate firewall , so we never access Exchange Sever through Internal LAN. Also please give me some info on DNS entry changes.

Ravi

Assuming that you access the Exchange server via your INTERNAL LAN, and assuming that the Exchange server is your only server, then the following would be true:

HTTP (80) to web server services, but not Outlook Web Access HTTPS (443) to Outlook Web Access Service (requires SSL) SMTP (25) to Exchange Service

Do not let users connect to OWA using HTTP, leave that for your public web sites. Setup OWA for SSL access only.

I would need more info, but here's my assumptions:

PUBLIC IP | Firewall | | | | | ---- DMZ --- SWITCH-1 | LAN | SWITCH-2

Now, the DMZ is using a NAT scheme, 192.168.10.0/24 The LAN is using a NAT scheme, 192.168.16.0/24

The web server and exchange server are allocated 192.168.10.x + .y

The DNS server, I'm assuming that it's for your internal network and is not hosting your PUBLIC DNS records.

The DNS Server should be in the LAN and you will need to setup domains for your public addresses - meaning that if you use MyCompany.Com, then you will create a zone called MyCompany.Com and enter the PRIVATE addresses in it for the Web server and the Exchange server. Then, since it's in your LAN, your client workstations should use it for their DNS (don't forget to setup FORWARDING) and it will resolve the private names for your web/exchange servers.

I really need to know more in order to not have to guess.

SHIIIIIIIIIIIIT!!

Leythos,

The DNS server is hosting my public records. The network config is :

Public IP1 ------> Firewall1 ------------> Corporate INET

My corporate network is set fine and running

Public IP2 ------> Firewall2 | 192.168.0.1 I | 192.168.0.2 DNS SERVER/Exchange Server/Web Server

Now I am intoducing Hardware firewall2 for my Exchange , public DNS server and Web server. Earlier I had a software firewall running on this server. This server is a stand alone server and is not connected to my internal network directly. I hope this gives you a good idea of what I am trying to do.

Leythos,

I have bought Symantec 360 Security Gateway Firewall and it does not allow me to put same ip on the two interfaces, infact it is not even allowing me to put two different IPs on the same mask.

Why not just implement DROP-IN mode where the firewall has the SAME IP on both sides of the network - public assigned to both sides, then you don't have to worry about anything - you just map rules between ip:ip?

Un fortunately, I'm not a Symantec type chap, so I can't help. I would suggest that you contact them, send them your network plan, and ask them what they would suggest. If you are under contract with them, then they should be able to help.

I can't help without knowing your network, and each time you post I only learn a little more, and it's not enough.

If you want to have the same subnet on both the LAN and a WAN side, you have to disable NAT first (it doesn't make sense with the same subnet on both sides):

Firewall -> Advanced -> Disable NAT Mode.

On the other hand, if you do this, you won't have any NAT routing for the other WAN port either, and if I understood your broken diagram correctly, you'd want that.

My guess is that you should hire a networking person who can design a solution for you, and that the Symantec 360 should go back to the store -- it's really not meant for this, but for load balancing/failover operations with VPN functionality.

Regards,