topic Exchange 2016 Mailbox Servers in the DMZ in General Topics

Exchange 2016 Mailbox Servers in the DMZ

jambulo — Wed, 11 Jan 2017 19:46:00 GMT

Has anyone had any issues deploying Exchange 2016 servers in a "DMZ" behind the Palo Alto firewall?

Microsoft does not support this configuration and their preferred architecture is to put the Exchange servers in the internal network. Because these Exchange servers are public facing, we are pushing to have the servers set up in our DMZ.

Re: Exchange 2016 Mailbox Servers in the DMZ

OtakarKlier — Wed, 11 Jan 2017 22:40:43 GMT

Hello,

What you are attempting to do is the right approach, in my opinion. The logs are your best friend when it comes to this. Check for any traffic not getting to where it needs to go. I always put a DENYALL rule as the last rule so I can see clearly if it is being hit by any traffic and adjust or add rules above it.

Hope this helps.

Re: Exchange 2016 Mailbox Servers in the DMZ

BPry — Thu, 12 Jan 2017 17:34:54 GMT

Microsoft doesn't support it because it's a time consuming thing to setup; as long as you have the time to monitor the logs and open the ports that are actually needed you really aren't going to run into any issues. I'm actually not sure why Microsoft really discorages this configuration, I assume because it causes an issue with setting up autodiscover if you don't have the right ports open?

Re: Exchange 2016 Mailbox Servers in the DMZ

Retired Member — Fri, 13 Jan 2017 21:41:34 GMT

I'm sure they advise against it because they don't want to have their support folks or system level contractors have to worry about something obstructing access. There's also the argument of local Windows firewalls. I personally disagree with the idea of not putting it a segregated environment--especially because as of 2016 Outlook Web Access also runs on the same server. As long as the correct ports (and app-ids) are defined it should work.