I have inherited a 2003 Exchange server that is multihomed with a DMZ and an internal address. I am assuming that the DMZ was setup to manage OWA.
At times the OWA does not come up from the outside. It seems to be intermittent at best. I have the DMZ gateway set with a persistent route with a metric of 1 and the internal set with a metric of 20. It almost acts like it is reverting back to the internal gateway even though I have persistent routes set.
This configuration worked fine on a PIX 515E and since we moved over to a Cisco ASA 5505 we started seeing this issue. The firewall rules are the same on both devices, so I am not sure what to look at next.
There does not seem to be a clear answer on Exchange in the DMZ or local network. I have read it both ways and everyone has their own way of doing things and varying opinions follow. My thinking is that Exchange needs to be on the inside as it has to be a domain member. Not sure how to proceed, so any help would be appreciated.
John,
From the post it looks like you have two different NICs, which can lead to being painful to troubleshoot. Also, most of the network/security guys don't like this configuration.
When forced to put my Front-end server in the DMZ, I've set the Exchange services to run on static ports and opened up the firewall to allow those ports and those to communicate with the local DCs.
If you want to keep it in the DMZ, I can resurrect my documentation on static mappings and firewall settings. The easy (but not always the most secure) answer though would be to move the front-end server to the internal network and open HTTPs access from the internet.
- Joel
I do have 2 NICS installed in the machine, and you are right on the trobleshooting issue. In the end I chose to leave all the same way and open 80 and 443 to the DMZ side and I removed the gateway from the internal network on the machine. With that being done, OWA has been rock solid for a couple of days now. I am not sure why it reverted back and stopped working but this will work for now. I am going to implement a whole new infrastructure in the coming months with a new DC and a new Exchange server. I will have at that point the time to do everything corect from the beginning.
Thanks for you help.
Thanks for following up. Do you plan on moving to Exchange 2007 when you implement the new infrastructure?
Yes, that is the plan. OWA for 2007 is very nice and will make all of the users happy. This is a small organization that I am working with and starting fresh will be nice and pretty painless. There are minimal permissions and the users manage mailboxes very well.