12-10-2012 12:17 PM
The documentation for Enterprise Vault Mobile Search says that it is recommended to install the server in the intranet and apply a reverse proxy in the DMZ to facilitate outside connections. My problem is that my customer doesn't think this is very secure and wants to put the Mobile Search server in the DMZ. Does anyone know what ports are required to be open in the firewall between the Mobile Search server and the other EV servers? Is it just an https connection or does it require everything that would need to be open if the firewall was between two EV servers?
thanks,
Mark
Solved! Go to Solution.
12-11-2012 03:04 PM
Just curious.. why do they think it's not secure? One single port open ... traffic logged to a file by Windows (the IIS logs) ... DMZ deployments not recommended for far more complex components than EV (eg CAS servers - http://blogs.msdn.com/b/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-access-servers.aspx)
Also, as you have probably seen, in the Setting Up Exchange Server Archiving guide, Symantec says (with my highlighting):
<snip>
</snip>
12-11-2012 03:04 PM
Just curious.. why do they think it's not secure? One single port open ... traffic logged to a file by Windows (the IIS logs) ... DMZ deployments not recommended for far more complex components than EV (eg CAS servers - http://blogs.msdn.com/b/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-access-servers.aspx)
Also, as you have probably seen, in the Setting Up Exchange Server Archiving guide, Symantec says (with my highlighting):
<snip>
</snip>
12-21-2012 10:19 AM
Rob,
Thanks for that link. The problem was that they had an architect who wants all external facing applications to follow the security best practice of having a server in the DMZ. I pointed out that their CAS server sits in the internal network and they have a reverse-proxy setup in the DMZ to support this. I opened a support case but didn't really get anywhere. Eventually, the customer decided not to bother with Mobile Search at this time.
I think that Symantec should update the documentation to either indicate what ports are required open for this or else state that and internal implementation is the only configuration supported. The way it is written now, it implies that there are other options but not enough information is given to implement them.
Mark