Re: Exchange 2003 - Multiple SSL Certs

From: monkeyman101 <monkeyman101@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 1 May 2007 11:21:02 -0700

Yeah, I agree and the bigger plan is for an appliance to be introduced once
they've shown what off Exchange push email to the masses. They also realise
that opening 443 to a 2nd site offers no more/less security than to the
'default site'.
The bigest concern is that by allowing 443 to the default site means that
OWA will thenbe visible and this is not allowed, hence the 2nd site approach.
I dont see how they can keep OWA internal only if 443 is opened to the
default site.
Any thoughts on how they achieve this?

"Mark Arnold [MVP]" wrote:

On Tue, 1 May 2007 10:41:00 -0700, monkeyman101
<monkeyman101@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Mark, thanks for the response. Security is their big concern, so how can they
achieve it ?.....secure mobility services that doesn't infringe on the
existing internal only OWA config?. They dont want the default site address
open to the net, hence the 2nd site/SSL cert idea with its own ip address.

"Mark Arnold [MVP]" wrote:

It's a total nonsense that having different websites is going to do
anything for their security. You are no more or less secure having 443
open to the Internet on one site than on the other. Anyone accessing
something on one website has no more access to the box than if he were
on another.

The customer doesn't understand the most basic fundamentals. You will
need to put them straight on it. It's plaiin silly.

If they are that worried about security they should put some form of
access protection in front of the FE. An ISA server perhaps or any one
of a number of appliances.

If they understand that little about security it's probably best they
don't actually grant anyone external access in the first place.

Follow-Ups:
- Re: Exchange 2003 - Multiple SSL Certs
  - From: Mark Arnold [MVP]

References:
- Re: Exchange 2003 - Multiple SSL Certs
  - From: Mark Arnold [MVP]
- Re: Exchange 2003 - Multiple SSL Certs
  - From: Mark Arnold [MVP]

Prev by Date: Re: Exchange 2003 - Multiple SSL Certs
Next by Date: Re: Exchange 2003 - Multiple SSL Certs
Previous by thread: Re: Exchange 2003 - Multiple SSL Certs
Next by thread: Re: Exchange 2003 - Multiple SSL Certs
Index(es):
- Date
- Thread

Relevant Pages

Re: Installing a spam appliance between Exchange Servers
... I guess I knew that OWA had nothing to do with SMTP. ... the reason for adding the appliance is a) it becomes the entry/exit ... appliance) c) not expost Exchange SMTP servers to the internet directly. ... Locating Exchange Server 2007 CAS role in the perimeter? ...
(microsoft.public.exchange.admin)
RE: OWA security
... If you are serious about security you shouldn't use HTTP for OWA access ... Well if you are adding a separate web server into the network, ... Internet to the web server, and from the web server to the internal ...
(Security-Basics)
Re: is HTTPS crackable
... > abandon your OWA 5.5 deployment plans. ... > public Internet access by a kiosk, ... Kiosk access will be the weak point for several reasons (as he ... that would be a security vulnerability in the browser to allow a remote ...
(microsoft.public.inetserver.iis.security)
Re: OWA security
... to be some form of security and authentication server. ... is like a proxy between exchange, for authentication and security. ... > Internet to the web server. ... > If you are serious about security you shouldn't use HTTP for OWA ...
(Security-Basics)
[NT] Vulnerability in Microsoft Data Access Components Allows Code Execution (MS07-009)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... this vulnerability by preventing Active Scripting and ActiveX controls ... mode sets the security level for the Internet zone to High. ...
(Securiteam)