cancel
Showing results for 
Search instead for 
Did you mean: 

Mobile Search in the DMZ

Mark_Tkachyk
Level 3
Partner Accredited

The documentation for Enterprise Vault Mobile Search says that it is recommended to install the server in the intranet and apply a reverse proxy in the DMZ to facilitate outside connections.    My problem is that my customer doesn't think this is very secure and wants to put the Mobile Search server in the DMZ.   Does anyone know what ports are required to be open in the firewall between the Mobile Search server and the other EV servers?   Is it just an https connection or does it require everything that would need to be open if the firewall was between two EV servers?

thanks,

Mark

1 ACCEPTED SOLUTION

Accepted Solutions

Rob_Wilcox1
Level 6
Partner

Just curious.. why do they think it's not secure?  One single port open ...  traffic logged to a file by Windows (the IIS logs) ... DMZ deployments not recommended for far more complex components than EV (eg CAS servers - http://blogs.msdn.com/b/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-access-servers.aspx)

Also, as you have probably seen, in the Setting Up Exchange Server Archiving guide, Symantec says (with my highlighting):

 

<snip>

 

Note the following:
■ Mobile Search requires access to the domain controller and Enterprise Vault
server(s).Werecommend that in a production environment you should deploy
it on the intranet behind a firewall. Mobile Search should be made available
on the Internet through a reverse proxy server in the DMZ. However, a reverse
proxy server in the DMZ is not mandatory, and Mobile Search can be installed
without it.
■ We recommend that in a production environment you should install Mobile
Search on a separate server from Enterprise Vault and certain other
applications.
See “Prerequisites for Enterprise Vault Mobile Search in a production
environment” on page 195.

</snip>

Working for cloudficient.com

View solution in original post

2 REPLIES 2

Rob_Wilcox1
Level 6
Partner

Just curious.. why do they think it's not secure?  One single port open ...  traffic logged to a file by Windows (the IIS logs) ... DMZ deployments not recommended for far more complex components than EV (eg CAS servers - http://blogs.msdn.com/b/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-access-servers.aspx)

Also, as you have probably seen, in the Setting Up Exchange Server Archiving guide, Symantec says (with my highlighting):

 

<snip>

 

Note the following:
■ Mobile Search requires access to the domain controller and Enterprise Vault
server(s).Werecommend that in a production environment you should deploy
it on the intranet behind a firewall. Mobile Search should be made available
on the Internet through a reverse proxy server in the DMZ. However, a reverse
proxy server in the DMZ is not mandatory, and Mobile Search can be installed
without it.
■ We recommend that in a production environment you should install Mobile
Search on a separate server from Enterprise Vault and certain other
applications.
See “Prerequisites for Enterprise Vault Mobile Search in a production
environment” on page 195.

</snip>

Working for cloudficient.com

Mark_Tkachyk
Level 3
Partner Accredited

Rob,

Thanks for that link.   The problem was that they had an architect who wants all external facing applications to follow the security best practice of having a server in the DMZ.    I pointed out that their CAS server sits in the internal network and they have a reverse-proxy setup in the DMZ to support this.    I opened a support case but didn't really get anywhere.   Eventually, the customer decided not to bother with Mobile Search at this time.  

I think that Symantec should update the documentation to either indicate what ports are required open for this or else state that and internal implementation is the only configuration supported.   The way it is written now, it implies that there are other options but not enough information is given to implement them.

 

Mark