Re: Best Practices for exposing Exchange to web
From: Jim (.)
Date: 02/24/05
- Next message: Greg: "Re: Restricting mailbox permissions"
- Previous message: -->JD: "Clustering Exchange 2003 across regions"
- In reply to: Mark Arnold [MVP]: "Re: Best Practices for exposing Exchange to web"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 23 Feb 2005 16:07:33 -0800
Mark, thanks for the reply.
You suggest setting up a ISA server in the DMZ so I have a few questions.
I know I didn't mention it earlier but I currently utilize a Checkpoint
firewall for my company and I'm a little fuzzy on how I'd also integrate
another firewall ( ISA) in conjunction with it. Am I completely lost?
I'm not familiar with ISA but does ISA provide some functionality I can not
achieve with my Checkpoint firewall?
If I really need ISA, how might I go about integrating the two? Would I put
an ISA server in my Checkpoint DMZ?
I'm sorry but I don't have a clear picture on what I need to do here.
Thanks for your help and patience!
Jim
"Mark Arnold [MVP]" <mark@mvps.org> wrote in message
news:skfp11tr2hrof0kurvnf3govi91j3eeqd1@4ax.com...
> On Wed, 23 Feb 2005 07:14:20 -0800, "Jim" <.> wrote:
>
> >Hello all, We currently use Lotus NOTes for e-mail and have a front end
> >server in the DMZ that handles web access. This server
> >communicates/replicates with the main server inside the firewall using
only
> >one port. Fairly secure.
> >
> >We are in the process of migrating to Exchange server and I am
investigating
> >how I'd set up the same type of functionality for Exchange. I've read on
> >the Microsoft site that I should set up a front end server in the DMZ and
> >open a host of ports to the internal network to facilitate the exchange
> >version of the same - including what appears to be extending access to my
AD
> >to the DMZ. This seems a little scary opening up all these ports
> >(especially exposing my AD to the DMZ) but that seems to be the
> >recommendation.
> >
> >But, while doing this research I've found many very passionate admins,
> >including several Microsoft vendors, who feel exposing all these ports is
> >risky and they "strongly" recommend just opening port 80 through the
> >firewall to the internal Exchange server. I understand the merits of
having
> >a front end server - taking some load off the internal server and all
that.
> >
> >Can anyone please shed some light on the best way to achieve some
security
> >while providing access to exchange from the web?
> >
> >Is opening port 80 through to the internal network more or less risky
than
> >opening all the ports to the DMZ?
> >
> >Is there any way to use the front end server in the DMZ without opening
so
> >many ports?
> >
> >Any advice or description of how you do this would be appreciated!!
> >
> >Thanks in advance!
> >Jim
> >
>
> Setting up an FE in the DMZ is no longer the recommended solution. It
> certainly was in the E2K / ISA2K days but no longer with E2K3 and
> ISA2K4.
>
> For an Exchange server you don't go near TCP 80 so ignore the advice
> of anyone who suggests you do. TCP 443 and use SSL is the only safe
> way to go with people's email.
>
> The best option is to set up an ISA in the DMZ and use the Form Based
> Authentication publishing to provide access to the FE in the LAN.
>
> Usually (small orgs) the ISA will be a workgroup member and you'll
> just publish. But you can just as readily configure a Radius solution
> and ensure that all users are fully authenticated before handing them
> off to the FE. This neatly preventd DoS attacks on the FE. You'll need
> experience with Radius with W2K3 but there are KB articles and papers
> for that.
>
> As for the ISA there are papers at www.isaserver.org and
> www.msexchange.org to help you configure ISA to talk to FE and
> confiugure the FE for SSL.
>
- Next message: Greg: "Re: Restricting mailbox permissions"
- Previous message: -->JD: "Clustering Exchange 2003 across regions"
- In reply to: Mark Arnold [MVP]: "Re: Best Practices for exposing Exchange to web"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
