Re: OWA in DMZ
- From: "Ed Crowley [MVP]" <curspice@xxxxxxxxxxxxxx>
- Date: Wed, 6 Jun 2007 12:46:52 -0700
Your suggestion isn't any cheaper than ISA and I believe compromizes your
security substantially by opening ports that allow malware access into your
AD and security infrastructure. Just configuring the required firewall
entries alone should be enough to make your head spin. Installing an
Exchange 2003 server in your DMZ is tantamount to militarizing it.
ISA or another web publishing appliance is the way to go.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"
"RichardW" <helpdesk@xxxxxxxx> wrote in message
news:O0$MWzCqHHA.2652@xxxxxxxxxxxxxxxxxxxxxxx
There's a lot of ways to do this. Some people will go to the extreme with
mutiple Firewalls and ISA.
But I guess the easiest and relatively secure method is setting up a
seperate Exchange server in the DMZ in Front-End mode. It will not contain
any mailboxes, it'll just function as OWA server.
Configure the Firewall to forward external HTTPS (don't use
HTTP!!)requests to this sever in the DMZ. And configure the Firewall to
allow traffic on certain ports between this server and the private
network, since that's where the back-end server is located with the actual
mailboxes. There's a couple of ports you need to open. Or just allow any
port but only between Front-End and Back-End server, although this is
less-secure.
When you have this Front-End server in place with OWA you can also use
this same server for Mobile Access, and RCP over HTTPS, which you will
have to enable on both servers and it involves more TCP ports.
A good place to start is here, which also descibes the ports needed.
http://www.microsoft.com/technet/security/prodtech/exchangeserver/secmod44.mspx
You can go to lengths with securing something like this, but it depends on
the situation and risk assement to determine how far you really want to
take it. I wouldn't use anything less then wat I described here, so this
is kind of a baseline.
"Frederik" <Frederik@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:40E1389C-E9F0-4472-9DB0-66C0F0949CC5@xxxxxxxxxxxxxxxx
Hello,
In our company we have one exchange mailserver and a DMZ-zone. We would
like
to enable the outlook web access in this DMZ-zone. So the users should
connect to a pc in the DMZ zone and not to the exchange mailserver.
What's the best way to install this?
Maybe RPC over HTTP?
Thanks
.
- References:
- Re: OWA in DMZ
- From: RichardW
- Re: OWA in DMZ
- Prev by Date: Re: OWA DMZ
- Next by Date: Re: invisible mailbox items
- Previous by thread: Re: OWA in DMZ
- Next by thread: terminal server/outlook 2003 users junk-email folders not working?
- Index(es):
Relevant Pages
|
