Re: OWA in DMZ

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

There's a lot of ways to do this. Some people will go to the extreme with mutiple Firewalls and ISA.
But I guess the easiest and relatively secure method is setting up a seperate Exchange server in the DMZ in Front-End mode. It will not contain any mailboxes, it'll just function as OWA server.

Configure the Firewall to forward external HTTPS (don't use HTTP!!)requests to this sever in the DMZ. And configure the Firewall to allow traffic on certain ports between this server and the private network, since that's where the back-end server is located with the actual mailboxes. There's a couple of ports you need to open. Or just allow any port but only between Front-End and Back-End server, although this is less-secure.

When you have this Front-End server in place with OWA you can also use this same server for Mobile Access, and RCP over HTTPS, which you will have to enable on both servers and it involves more TCP ports.

A good place to start is here, which also descibes the ports needed.
http://www.microsoft.com/technet/security/prodtech/exchangeserver/secmod44.mspx

You can go to lengths with securing something like this, but it depends on the situation and risk assement to determine how far you really want to take it. I wouldn't use anything less then wat I described here, so this is kind of a baseline.


"Frederik" <Frederik@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:40E1389C-E9F0-4472-9DB0-66C0F0949CC5@xxxxxxxxxxxxxxxx
Hello,

In our company we have one exchange mailserver and a DMZ-zone. We would like
to enable the outlook web access in this DMZ-zone. So the users should
connect to a pc in the DMZ zone and not to the exchange mailserver.

What's the best way to install this?

Maybe RPC over HTTP?


Thanks


.

Relevant Pages

  • Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
    ... > fairly tight(only allowing 4 ports in), but perhaps I could tighten it ... The host systems firewall rules govern the access to the jailed system. ... What connections does your server need to ... Perhaps there is a 0-day for your ftp server out there. ...
    (Incidents)
  • Re: Add 2nd NIC after intial install?
    ... My biggest question with 1 NIC is: even if workstations are protected with individual firewall products, what is protecting the SBS server itself if ports are open for remote access through the Linksys firewall? ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW with no https
    ... SBS's ports. ... two are unrelated systems, i.e., SBS for one domain, Kerio for another. ... Or dump Kerio Mail Server since you have the same capabilities in Exchange ... I can not use https. ...
    (microsoft.public.windows.server.sbs)
  • Re: Source Code to Filter out WindowsMessenger POP-UPS
    ... Zone Alarm does NOT support 'server'. ... Very few ports are open, ... >What you are asking for amounts to a firewall. ... I would NOT search for source code to compile ...
    (microsoft.public.inetserver.iis.security)
  • Re: Using Office Outlook with exchange server behind windows firewall
    ... On our network I have windows firewall turned on, on both my small business server and my windows xp workstations. ... Based on an article I read about all the ports that exhange may use I also tried making exceptions for ports ...
    (microsoft.public.windows.server.sbs)