Re: OWA

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: "Rich Matheisen [MVP]" <richnews@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 20 Aug 2009 21:16:01 -0400

On Thu, 20 Aug 2009 06:15:01 -0700, ed <ed@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:

rich,

Thanks for your time and help.

Why did he make big fuss about the form authentication over SSL? I guess
that he did not enable form based authentication before as SSL is a
requirement.

Whether you use FBA or not SSL should still be used.

If you do not use basic authentication, what else can you use?

Kerberos.

This prevents the direct
exposure of email services to unauthorized exploitation. To enable this
architecture, an OWA server in the DMZ dedicated to perform Web-based message
access would be established

No, no, no . . . do NOT put an Exchange server in the DMZ.

Can you give me the reason why? I know exchange 2007 totally changes (CAS
server) but, since he is security consulting person and I need to find the
link or doc to show him?

Why would you willingly put a Windows domain member server in a DMZ
unless the AD forest was different to the one on your corporate LAN?
The number of ports you have to allow through the firewall is pretty
big and that's just one good reason to not do it. The FE server's also
a member of a pretty privileged group of servers. Compromise the FE
server and you're on your way to compromising the AD. Oh, and let's nt
forget the cached (and supposedly secure) credentials that linger on
machine -- get admin access on there and you'll be able to use those
credentials to access an awful lot of stuff.

You can mitigate some of the risks by using IPSec, but the setup for
what to all, which machines can tak to what other machines, etc. make
it a lot more cost-effective to just put ISA server(s) in the DMZ than
to spend all the time to try and secure machines that really don't
belong in the DMZ.
---
Rich Matheisen
MCSE+I, Exchange MVP
.

References:
- OWA
  - From: ed
- Re: OWA
  - From: Rich Matheisen [MVP]
- Re: OWA
  - From: ed
- Re: OWA
  - From: Rich Matheisen [MVP]
- Re: OWA
  - From: ed

Prev by Date: Re: add-adpermission
Next by Date: Re: Configuring Direct Push on Exchange 2003
Previous by thread: Re: OWA
Next by thread: Re: OWA
Index(es):
- Date
- Thread

Relevant Pages

Re: Front-End server question
... > between the servers ... > IPSec does nothing for the application layer of the solution. ... > in the DMZ to project the application. ... It would also terminate your external SSL ...
(microsoft.public.exchange.design)
Re: Front-End server question
... > between the servers ... > IPSec does nothing for the application layer of the solution. ... > in the DMZ to project the application. ... It would also terminate your external SSL ...
(microsoft.public.exchange.connectivity)
Re: Front-End server question
... > between the servers ... > IPSec does nothing for the application layer of the solution. ... > in the DMZ to project the application. ... It would also terminate your external SSL ...
(microsoft.public.exchange.admin)
Re: Front-End server question
... > between the servers ... > IPSec does nothing for the application layer of the solution. ... > in the DMZ to project the application. ... It would also terminate your external SSL ...
(microsoft.public.exchange.misc)
Re: Is a DMZ necessary?
... >> the server to a) be compromised from the internal machines... ... whether your server is in the DMZ or the Internal zone. ... raw internet feed. ...
(comp.security.firewalls)