Re: OWA 2003 in DMZ ??

From: Al Mulnick (amulnick_No_SPAM_at_ncDOTrr.com)
Date: 02/21/04 

Date: Sat, 21 Feb 2004 09:13:25 -0500

Why bother? Since you're putting it on a DC, there's really no point in
trying to secure it now is there?
Since you're not using a layer-7 firewall that understands the calls, why
secure the transmission?

I throw that out there, but I also realize that there's more to it than
that. Don't get me wrong, I think that we have to work in the confines
we're living in, but what you're doing seems more like an exercise in
futility.

The comm between a FE and BE server is tcp 80. 443 only comes into play if
you have installed a cert on the BE. Other options would be to use VPN
tunnels. The FE server normally needs to talk with other domain controllers
etc, but you've short-circuited that by placing on a DC already. It's smart
enough (out of the box) to know that you don't need to go to other domain
controllers since there's one local that's "less expensive" to use.

Putting all of that together, is there really any reason for you to have put
this in the DMZ? I mean, you're network directory is in the DMZ, your
application is in the DMZ, effectively moving your border out into the DMZ
(you've put what you're trying to protect on the outside of the castle walls
so to speak).

Good luck.

Al

"goofy" <ole.madsen@noosspam.omc.dk> wrote in message
news:uFPYrDI%23DHA.4088@tk2msftngp13.phx.gbl...
> Hi All
>
> I'm in the process of implementing an exchange2003 setup with OWA for
> external users.
>
> I have my internal exchange2003 server behind a firewall (LAN), and is
> planning to put my OWA on a DMZ (i'm not using ISA server for this)
>
> I have searched for an article explaining how to secure the FrontEnd to
> BackEnd communication between my two exchange servers.
>
> But since i only can install my OWA exchange2003 on a DC, some ports needs
> to be opend from DMZ -> LAN (normally a bad idear).
>
> I have a SSL certificate for my OWA, and is only using port 443 inbound to
> my OWA (FE) server, but not formbased auth.
>
> I found an article on msexchange.org on how to set up in dmz, but i cant
get
> it to work.
>
>
> How is your OWA installation running, just port 443 inbound to your
> LAN/exchange ??
>
> Do i need to secure my owa futher (IISlockdown or another tool)
>
> How can i performance tune my owa/exchange installation
>
>
> TIA
>
> Ole Madsen
>
>
>

Relevant Pages

  • RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good
    ... The ISA acting as a proxy in the DMZ is a good option I think ... because ISA is designed to work with OWA or is it the other way round. ... in the DMZ or an ISA Server. ...
    (Firewall-Wizards)
  • RE: Ye Olde OWA Topic (Was RE: Website inside or outside domain)
    ... with any DMZs or any other separation of OWA from your inside network. ... Of use your firewall to authenticate. ... where a public web server is in the DMZ and ... > How do I allow access to the back-end Exchange Server? ...
    (Focus-Microsoft)
  • Re: Outlook Web Access!!
    ... I don't know how they can be so sure it's secure... ... relevant IIS and other patches as they come out. ... OWA to your DC to do user authentication, ... > protect Exchange server in four different ways. ...
    (microsoft.public.security)
  • Re: Outlook Web Access!!
    ... I don't know how they can be so sure it's secure... ... relevant IIS and other patches as they come out. ... OWA to your DC to do user authentication, ... > protect Exchange server in four different ways. ...
    (microsoft.public.win2000.security)
  • RE: Webserver on a DMZ still needed?
    ... OWA server. ... Webserver on a DMZ still needed? ... It is still recommended to have your exchange box (and any other outward ... to interact securely with the Domain Controller on the secure subnet? ...
    (Security-Basics)