Re: OWA_Frontend_Firewall

"Mark Arnold [MVP]" <mark@xxxxxxxx> wrote:

>On Fri, 1 Apr 2005 12:11:19 -0600, "Luke" <nomail@xxxxxxxx> wrote:
>
>>company policy says that i can NOT have any ports open on the firewall from
>>the WAN to LAN...
>>
>>so i have to put OWA in the DMZ and have a limited number of ports open from
>>the OWA server in the DMZ to the exchange server and DC's on the LAN
>>
>Inflexible policies, dontcha just love them.

And you think that allowing an encrypted stream of data from the
Internet to a Microsoft server on your LAN is secure? I think you've
drunk the kool-aide.

>Well, the article gives you the guidance there.
>You might still want to consider using the ISA in the DMZ (where the
>ISA is a workgroup box not joined to the domain) and that way you only
>open 443 from Internet to ISA and then 443 from the ISA to the
>Exchange,

If you have any form if IDS you'll do a lot better terminating the SSL
connection at the ISA srver (or whatever you use to provide the SSL).
You can't see inside an encrypted data stream.

>either direct to the BE or to an FE (choice is yours on that
>score; assuming you only have one BE)
>It's certainly a lot safer than opening several ports to the FE and to
>GCs between a DMZ and a firewall.
>Present them with the options and show them the results of their
>policy.

Web-mail is insecure, too. If the policy takes that risk into account
it probably already knows that firewalls are not impermiable and that
a "real" DMZ wouldn't allow any of the stuff needed to permit access
to a mailbox server from outside the network.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
.

Relevant Pages

  • Re: general question on design options
    ... Behind that I have my ISA, ... How do you get the VPN connections that terminate on the Cisco to get past ... DMZ and not the LAN. ...
    (microsoft.public.isa)
  • RE: Firewall and DMZ topology
    ... Subject: Firewall and DMZ topology ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • RE: Whats wrong with this topology?
    ... it's better to have the DMZ ... complicates all the filtering rules on your firewall... ... Better is to have the DMZ physically apart from your LAN (with the firewall ... region system (hostile internet vs. not very secure internal lan) because ...
    (Security-Basics)
  • Re: Windows 2000 Server verliert verbindung ins Internet
    ... >>diese gehen auch über die firewall ... LAN öffnen - da lohnt sich überhaut die DMZ-Konfiguration nicht mehr. ... Möglichkeit: Weg mit der DMZ ... Auf jeden Fall sollte die Firewallkonfiguration ...
    (microsoft.public.de.german.win2000.networking)
  • RE: Firewall and DMZ topology
    ... Subject: Firewall and DMZ topology ... Also, when I say firewall, I mean Router + Firewall. ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)