Re: Publish OWA2K3 on single-homed ISA in a DMZ?
- From: "Steve Manning" <SteveManning@xxxxxxxxxxx>
- Date: Tue, 10 May 2005 21:27:54 -0400
I had a similar situation but I decided to do it a little differently. I
wanted to use Active Directory based groups to authenticate users to the ISA
server before allowing access to the OWA server. I decided to move the ISA
server inside and have my firewall (checkpoint) route all inbound HTTP and
HTTPS traffic to the ISA server which then "reverse proxies" OWA out to the
internet. Microsoft will not support AD authentication in a DMZ or internet
facing so that made my decision easier. My server is also single homed so
placing the system in a DMZ versus LAN does not provide much, if any,
additional security. I decided to use basic authentication since I have
also published intranet servers. I wanted to be consistent across platforms
so that user confusion will be minimal.
The possible cause for your problem may be that you have to open inbound
ports on your firewall corresponding to the type of authentication you are
using, unless your using local accounts. If using local accounts you would
then have to logon to OWA as a separate logon. I assume you are using AD or
domain accounts, hence generating the "user not found" message. Placing the
ISA server inside the LAN resolves this. I really do not see the benefit of
the DMZ. Using the firewall to filter the traffic twice (with a single
homed system) does not seem efficient or more secure than filtering once. I
believe that having the firewall do layer 2 filtering behind which the ISA
server is doing some layer 3 filtering is quite safe.
Using AD groups essentially was a huge improvement. By using departmental
groups we could allow access to OWA based upon business role in the compnay.
I am sure that the same technique would work for your reverse Oracle proxy
as well.
"Stupid48" <cf_rich@xxxxxxxxxxx> wrote in message
news:1115763438.850184.86200@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>I have a ISA 2004 server running in my DMZ that is currently being used
> as a reverse proxy for an Oracle server running on the inside. The ISA
> is a single-nic design used for reverse proxy only and is in a DMZ
> surrounded by another firewall vendor. Can I not reverse proxy OWA
> 2003 using this configuration? I would like to proxy to my OWA running
> running inside. It seems that no matter what authentication scenario I
> select on ISA (forms, NT, basic), when I hit the server from the
> outside, ISA is trying to validate me itself (ie i'm getting a security
> log event ISA saying that me account was not found). Am I doing this
> right? I guess my assumption was that I could leave my OWA on the
> inside and have my ISA front-end it in the DMZ. What am I doing wrong?
>
> Thanks, Chris
>
.
- Follow-Ups:
- Re: Publish OWA2K3 on single-homed ISA in a DMZ?
- From: Stupid48
- Re: Publish OWA2K3 on single-homed ISA in a DMZ?
- References:
- Publish OWA2K3 on single-homed ISA in a DMZ?
- From: Stupid48
- Publish OWA2K3 on single-homed ISA in a DMZ?
- Prev by Date: Publish OWA2K3 on single-homed ISA in a DMZ?
- Next by Date: Re: Access to SMTP on port 25
- Previous by thread: Publish OWA2K3 on single-homed ISA in a DMZ?
- Next by thread: Re: Publish OWA2K3 on single-homed ISA in a DMZ?
- Index(es):
Relevant Pages
|
Loading
