Whether to put Exchange server in DMZ or internal network

We use an SMTP relay that sits in front of our Exchange 5.5 server. This product does some filtering, blocking and archiving for regulatory compliance. Right now it is inside the firewall, but we recongnize the need to put this machine in a DMZ area.

The internal debate is whether or not the Exchange server itself should go in the DMZ or stay in the internal network. One side says put Exchange (5.5, but moving to 2K) in the DMZ to eliminate traffic from the outside to the inside. The other side of the debate feels that puts sensitive information closer to the edge of the network and that the data is safer on the inside.

Can you offer any suggestions to help us break the deadlock?

Deadlock broken: Put the relay in the DMZ and leave the Exchange server in protected space.

For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Infrastructure and network security
Ask the Expert: Guidelines for designing a DMZ with defined levels of access
Ask the Expert: Placement of security solutions on a network

This was last published in January 2003

Dig Deeper on Enterprise network security