Re: OWA connectivity
- From: T-Kay <TKay@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 17 Nov 2006 12:32:02 -0800
Ok, well let's end the discussion otherwise this will most likely go on
forever. If you're using PIX on your first firewall and use Checkpoint on
your second "double defense" firewall your rules will be very easy to manage
even in large environments. But in truth we're not talking in terms of
security anymore but in cost effective management. It probably is cheaper to
do it your way, but safer to do it my way.
I'd like to thank you (and Andy) for this discussion though. It does shed
some new light on these type of situations.
Tom
"Ed Crowley [MVP]" wrote:
And I can share that when I've presented the list of ports that have to be.
opened and hosts to which they must be opened between the DMZ and Intranet
to my customers' "firewall guys" they invariably have told me that it would
be safer to open just port 443 between the DMZ and the front-end server(s)
and to allow their IDS systems to watch for intrusions. My customers are
usually large customers, and the number of hosts with which the front-end
server must communicate would require an enormous set of firewall rules, a
set that is practically unmanageable.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"
"Andy David - MVP" <adavid@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9u4sl29hpvl5iqkf83veoujaicrcq25sli@xxxxxxxxxx
On Fri, 17 Nov 2006 11:35:01 -0800, T-Kay
<TKay@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
As I was driving home after my last post I was half expecting you to reply
in
this fashion.
First though I'd like to admit I made a mistake in talking about SMTP port
25 while we were discussing OWA which should be communicating HTTPS over
port
443.
Secondly opening these ports from your DMZ towards your LAN is not
insecure
it is controlling what goes through to your LAN from your DMZ. Remember
you're still allowing only port 443 towards your DMZ from the Internet.
If
you do not use this setup you're allowing port 443 towards your LAN and
then
from that on ALL ports are available. In my explanation only the ports
mentioned will be available. On top of that I'd like to add that I would
use
secure LDAP in this setup over port 636 instead of port 389.
If you wish I can explain this better in a visio or some other picture,
because what you are describing is far more dangerous than allowing OWA
only
through a DMZ. A DMZ is primarily brought to life to support publishing of
websites. Whether or not you use a proxy server in this setup is up to
you.
If you have several websites to publish then it is preferable, but if
you're
only using OWA it could be more secure, but does not add much value since
you
still have your double defense firewall.
I have a lot of experience in seting up DMZ's firewalls and working with
Exchange 5.5 2K and 2K3 with OWA's RelayServers and the like. I've not yet
met a frewall specialist that would say yes to opening port 443 or 80
towards
your LAN.
This is a debate that has been going on for many a year now and there
are passionate arguments on both sides. FWIW, I know firewall
"specialists" who feel the way the you do and some who do not.
Tom
"Ed Crowley [MVP]" wrote:
Some of those are extremely dangerous ports. What you're suggesting as
a
secure proposal is opening up your entire Active Directory, Windows and
Exchange infrastructure to a host on your DMZ. That is foolish in the
opinion of myself and many, many others. Allowing SSL port 443 only to
one
host on your intranet, preferably through a proxy server, is far more
secure
and much easier to monitor and maintain.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"
"T-Kay" <TKay@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4C1D431E-8081-4A7E-900B-AF16D437937A@xxxxxxxxxxxxxxxx
Exchange uses a different port to communicate with other exchange
servers.
Setting up an Exchange server in your DMZ will allow you to accept
SMTP
port
25 traffic safely and only allow ports 691, 389, 3268, 88 from the
front
end
server towards the internal exchange server and DC.
Allowing port 25 towards your LAN is asking for trouble.
I also understand you only worked with ISA server which, even though I
think
ISA is a good product, I feel is not a true firewall and should be
used as
proxy server only.
Tom
"Ed Crowley [MVP]" wrote:
I'm extremely confident that I can tell you that your advice is
contrary
to
the opinion of the vast majority of Exchange MVPs for the reasons in
my
other post among others.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"
"T-Kay" <TKay@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:80C81209-F5C4-4E96-836E-0DA3907BF6CA@xxxxxxxxxxxxxxxx
Bryan,
Pointing directly to your internal mail server is not something I
would
expect from a firewall professional. Your setup with a DMZ and a
front
end
OWA server is perfect. The reason for the connection problems could
be
any
number of things. First I would check your firewall logs to check
connectivity and rule out the possibility of a firewall
misconfiguration.
I
would need more information to your problem to be more helpful.
"Bryan" wrote:
I have recently been having trouble connecting to OWA. My
configuration
has
a front-end server in a DMZ that I was hitting for OWA but I was
told
by
my
firewall vendor to change my rule to point directly to my back-end
box
on
my
LAN. Is this recommended? Any idea why I would have occasional
trouble
connecting to OWA when I was point to my front-end server?
Thanks.
--
Bryan
- References:
- Re: OWA connectivity
- From: Ed Crowley [MVP]
- Re: OWA connectivity
- From: Ed Crowley [MVP]
- Re: OWA connectivity
- From: T-Kay
- Re: OWA connectivity
- From: Andy David - MVP
- Re: OWA connectivity
- From: Ed Crowley [MVP]
- Re: OWA connectivity
- Prev by Date: Caching email during downtime + auto notify?
- Next by Date: Re: unable to send outbound mail using outlook
- Previous by thread: Re: OWA connectivity
- Next by thread: Re: Modifying the Display Name
- Index(es):
Relevant Pages
|
