Not all DMZs are Created Equal -- Why You Need Perimeter Firewalls and Bullet Proof Vests I had to find out what the deal was with the change in recommendation, so I was able to buttonhole a few Exchange guys who might be able to provide a rationale for their decision. Their collective opinion was that "you have to make cheese out of the firewall to allow intradomain communications, or use an IPSec tunnel through the firewall, so there's no sense in having a firewall there at all". What? There's no sense in having a firewall at all? That's like a cop saying "I don't wear a bullet proof vest when I'm on the streets, since they can just shoot me in the head". Yes, the scumbag could shoot you in the head, but the bullet proof vest provides a significant level of protection for a large area of physical vulnerability. No, it won't protect you from head shots, neck shots, bleed outs from femoral artery leg shots, or pulmonary emboli secondary to shattering of the tibia. But the bullet proof vest still protects you from all the bad things that can happen if you weren't wearing a vest, such as shots through the heart, lungs, liver, kidney, stomach, pancreas and intestines. I ran this analogy through my ex-cop wife, Deb Shinder, and asked her if there were cops who thought the same way as the Exchange team in terms of their firewall recommendations for front-end and back-end Exchange Servers. She said are rookies who think the same way as the Exchange team, but they usually don't last long. They either catch a slug in their center mass or they see their partner get hit. Either way, they don't hit the streets again without their own "personal firewall". Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls **Who is John Galt?**