skip to Main Content

Exchange Server in DMZ or LAN network

Do you need to place the Microsoft Exchange Server in DMZ or LAN network? Do you want to know what the best practice is for Exchange in DMZ? In this article, you will learn if you should place an Exchange Server in DMZ or LAN network.

What is DMZ

In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork. It contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN). An external network node can access only what is exposed in DMZ, while the rest of the organization’s network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network. If its design is effective, it will allow the organization extra time to detect and address breaches before they would further penetrate into the internal networks.

Exchange Server in DMZ or LAN network

When installing Exchange Server, you can install one of the two roles:

  • Exchange Mailbox server role
  • Exchange Edge Transport server role

Every Exchange role functions for a different purpose, if it’s a Mailbox role or Edge Transport role. That’s why the best practice is to place the Exchange Mailbox server in the LAN network. The best practice to place the Exchange Edge Transport server is in DMZ network. Both of the Exchange server roles need different network ports to get the mail flow working.

Important: Do not restrict the network traffic between internal Exchange servers. This means between internal Exchange servers and internal Lync or Skype for Business servers. Between internal Exchange servers and internal Active Directory domain controllers in any and all types of topologies. If you have firewalls or network devices that could potentially restrict or alter this kind of network traffic, you need to configure rules that allow free and unrestricted communication between these servers. Rules that allow incoming and outgoing network traffic on any port, including random RPC ports.

Exchange Mailbox server role in LAN

Microsoft recommends that you place the Exchange Mailbox server role in the LAN network. Place it in the LAN network because the Exchange Mailbox server needs communication to the Active Directory (AD). Most of the Exchange information is stored in AD.

Don’t move the Exchange Mailbox server to the DMZ network. If you do that, it will lose the communication to the domain controllers on the private LAN. The Exchange Mailbox server will not function. Keep the Exchange Mailbox server next to your Domain Controllers in the LAN network.

Exchange server in dmz or lan - network ports required for mailbox

Network ports required for mail flow with Mailbox servers

It’s important to open the following ports if you have an Exchange Mailbox server.

*DNS resolution of the next mail hop is a fundamental part of mail flow in any Exchange organization. Exchange servers that are responsible for receiving inbound mail or delivering outbound mail must be able to resolve both internal and external hostnames for proper mail routing. And all internal Exchange servers must be able to resolve internal hostnames for proper mail routing. There are many different ways to design a DNS infrastructure, but the important result is to ensure name resolution for the next hop is working properly for all of your Exchange servers.

Exchange Edge Transport server role in DMZ

Microsoft recommends that you place the Exchange Edge Transport server in DMZ network. Place it in a perimeter network that’s outside of your organization’s internal Active Directory forest.

Exchange server in dmz or lan - network ports required for edge transport

Edge Transport servers are almost always located in a perimeter network, so it’s expected that you’ll restrict network traffic between the Edge Transport server and the internet. Also, between the Edge Transport server and your internal Exchange organization. These network ports are described down below.

Network ports required for mail flow with Edge Transport servers

It’s important to open the following ports if you have an Exchange Edge Transport server.

*DNS resolution of the next mail hop is a fundamental part of mail flow in any Exchange organization. Exchange servers that are responsible for receiving inbound mail or delivering outbound mail must be able to resolve both internal and external hostnames for proper mail routing. And all internal Exchange servers must be able to resolve internal hostnames for proper mail routing. There are many different ways to design a DNS infrastructure, but the important result is to ensure name resolution for the next hop is working properly for all of your Exchange servers.

Read more: Exchange 2016 firewall ports for mail flow and clients »

Conclusion

In this article, you did learn the best practice for placing an Exchange Server in DMZ or LAN network. The only Exchange role Microsoft will support in a DMZ is the Edge Transport role. Everything else has to be in the internal network (LAN). Did you enjoy this article? If so, you may like the article Get the allocation unit size with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Connect with ALI TAJRAN on social media. Read more »

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top