Forum Discussion

Mark_Tkachyk's avatar
13 years ago

Mobile Search in the DMZ

The documentation for Enterprise Vault Mobile Search says that it is recommended to install the server in the intranet and apply a reverse proxy in the DMZ to facilitate outside connections.    My problem is that my customer doesn't think this is very secure and wants to put the Mobile Search server in the DMZ.   Does anyone know what ports are required to be open in the firewall between the Mobile Search server and the other EV servers?   Is it just an https connection or does it require everything that would need to be open if the firewall was between two EV servers?

thanks,

Mark

  • Just curious.. why do they think it's not secure?  One single port open ...  traffic logged to a file by Windows (the IIS logs) ... DMZ deployments not recommended for far more complex components than EV (eg CAS servers - http://blogs.msdn.com/b/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-access-servers.aspx)

    Also, as you have probably seen, in the Setting Up Exchange Server Archiving guide, Symantec says (with my highlighting):

     

    <snip>

     

    Note the following:
    ■ Mobile Search requires access to the domain controller and Enterprise Vault
    server(s).Werecommend that in a production environment you should deploy
    it on the intranet behind a firewall. Mobile Search should be made available
    on the Internet through a reverse proxy server in the DMZ. However, a reverse
    proxy server in the DMZ is not mandatory, and Mobile Search can be installed
    without it.
    ■ We recommend that in a production environment you should install Mobile
    Search on a separate server from Enterprise Vault and certain other
    applications.
    See “Prerequisites for Enterprise Vault Mobile Search in a production
    environment” on page 195.

    </snip>

  • Just curious.. why do they think it's not secure?  One single port open ...  traffic logged to a file by Windows (the IIS logs) ... DMZ deployments not recommended for far more complex components than EV (eg CAS servers - http://blogs.msdn.com/b/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-access-servers.aspx)

    Also, as you have probably seen, in the Setting Up Exchange Server Archiving guide, Symantec says (with my highlighting):

     

    <snip>

     

    Note the following:
    ■ Mobile Search requires access to the domain controller and Enterprise Vault
    server(s).Werecommend that in a production environment you should deploy
    it on the intranet behind a firewall. Mobile Search should be made available
    on the Internet through a reverse proxy server in the DMZ. However, a reverse
    proxy server in the DMZ is not mandatory, and Mobile Search can be installed
    without it.
    ■ We recommend that in a production environment you should install Mobile
    Search on a separate server from Enterprise Vault and certain other
    applications.
    See “Prerequisites for Enterprise Vault Mobile Search in a production
    environment” on page 195.

    </snip>

  • Rob,

    Thanks for that link.   The problem was that they had an architect who wants all external facing applications to follow the security best practice of having a server in the DMZ.    I pointed out that their CAS server sits in the internal network and they have a reverse-proxy setup in the DMZ to support this.    I opened a support case but didn't really get anywhere.   Eventually, the customer decided not to bother with Mobile Search at this time.  

    I think that Symantec should update the documentation to either indicate what ports are required open for this or else state that and internal implementation is the only configuration supported.   The way it is written now, it implies that there are other options but not enough information is given to implement them.

     

    Mark