Question for feedback on where enterprises are placing BES servers (ie which network) with underlying Domino servers on the same box, and some of the concerns around having the full NAB in a DMZ.
It is a known bad thing to have a full copy of the Domino domain directory in a DMZ network where the possibility of that being compromised is greater than on an internal network. A couple docs from IBM from 2004 (while discussing placing SMTP relays in the DMZ see here IBM Developer
) highlight the concerns on DMZ placement, and suggest scaling back what the NAB contains in the event a domino SMTP service is located there.
RIM does not support DMZ placement of BES servers themeselves in the DMZ, only the BES routers. Unfortunatley the only technote that RIM has published on the “non support in a DMZ” pertains to exchange not domino, and although that is inferred for domino, our security team has mandated DMZ placement anyways based on that laughable loophole in RIM’s documentation.
Not sure the NAB can be scaled back in a DMZ ala the SMTP scenario discussed above, and still support the BES functionality.
Question: does anyone have a BES environment with an underlying domino server in a DMZ, and if so, what have you done to the NAB, if anything, to secure it better?
Thanks in advance for your time and feedback