dc server on lan, exchange on dmz

TheMSsForum.com: The Microsoft Software Forum

Hi all,

i'm planning to put:
- DCSERVER on LAN interface, with private ip (192.168.0.x)
- MAILSERVER on DMZ interface, with public ip (A.B.C.D)

What ports do i have to allow on the firewall, to let MAILSERVER
communicate with DCSERVER and vice versa ?

DCSERVER usually acts as DHCP and DNS server for LAN clients.

Now that MAILSERVER is on public static IP (A.B.C.D), how can he know
that the DCSERVER for my domain (mycompany.com) can be reached on ip
192.168.0.123 ? He is no more on the LAN DHCP network ...

I can enable DNS forward on my firewall. What DNS records will query
the mailserver to search for the domain controller ? I can fake it on
the firewall to resolve to 192.168.0.123 ...

Thank you i.a.,

Marco
Top

Re: dc server on lan, exchange on dmz by Martin

Martin
Mon Aug 18 10:13:12 CDT 2008

Marco, Exchange in the DMZ is not a supported configuration and of very
little (if any) value.
Maybe you want to take a read of this:
http://www.sembee.co.uk/archive/2006/02/23/7.aspx



"M. Simioni" <m.simioni@gmail.com> wrote in message
news:d76c469d-35cf-4469-8320-916222a8839d@i76g2000hsf.googlegroups.com...
> Hi all,
>
> i'm planning to put:
> - DCSERVER on LAN interface, with private ip (192.168.0.x)
> - MAILSERVER on DMZ interface, with public ip (A.B.C.D)
>
> What ports do i have to allow on the firewall, to let MAILSERVER
> communicate with DCSERVER and vice versa ?
>
> DCSERVER usually acts as DHCP and DNS server for LAN clients.
>
> Now that MAILSERVER is on public static IP (A.B.C.D), how can he know
> that the DCSERVER for my domain (mycompany.com) can be reached on ip
> 192.168.0.123 ? He is no more on the LAN DHCP network ...
>
> I can enable DNS forward on my firewall. What DNS records will query
> the mailserver to search for the domain controller ? I can fake it on
> the firewall to resolve to 192.168.0.123 ...
>
> Thank you i.a.,
>
> Marco

Top

Re: dc server on lan, exchange on dmz by Lanwench

Lanwench
Mon Aug 18 10:16:37 CDT 2008

M. Simioni <m.simioni@gmail.com> wrote:
> Hi all,
>
> i'm planning to put:
> - DCSERVER on LAN interface, with private ip (192.168.0.x)
> - MAILSERVER on DMZ interface, with public ip (A.B.C.D)

Don't do that; it's really not secure. Put it on your LAN. What's your goal?
There's probably a better way to accomplish it.

Do you have ISA?
>
> What ports do i have to allow on the firewall, to let MAILSERVER
> communicate with DCSERVER and vice versa ?

Too many :)
>
> DCSERVER usually acts as DHCP and DNS server for LAN clients.
>
> Now that MAILSERVER is on public static IP (A.B.C.D), how can he know
> that the DCSERVER for my domain (mycompany.com) can be reached on ip
> 192.168.0.123 ? He is no more on the LAN DHCP network ...

DHCP has nothing to do with it - but the fact that there's no connectivity
does. A DMZ *doesn't* connect into the LAN - otherwise it isn't a DMZ.
>
> I can enable DNS forward on my firewall. What DNS records will query
> the mailserver to search for the domain controller ? I can fake it on
> the firewall to resolve to 192.168.0.123 ...
>
> Thank you i.a.,
>
> Marco

Also, be sure to include your version & SP levels of everything when you
post in any MS server group, as answers usually vary by version.


Top