RE: OWA access and security

Hello Gerko,

Thank you for posting in the SBS newsgroup.

Also, many thanks for Susan's great input.

According to your description, I understand that you would like to deploy
the OWA on the SBS 2003 Premium Server. If I have misunderstood the
problem, please don't hesitate to let me know.

Question 1: What I first like to know is what port(s) does OWA needs to
access from outside?
===========
Answer:
- Port 80 (http://) enables all nonsecure browser access, including:
internal access to IIS Webs including the company Web, Windows SharePoint
Web, Windows SharePoint administration Web, and server monitoring and usage
reports Enables internal access to Exchange by OWA and OMA clients.

- Port 443 (https://) enable all secure browser access, including
external access to Exchange for Outlook 2003, OWA, and OMA clients;
required for external access to server monitoring and usage reports.

- Port 4125 (Note: you can change this port in RRAS) enable external OWA
access to Exchange, plus internal and external HTTPS access to the client
Web site.

Question 2: If I want to give our employees a save way to use this, what
are the safety issues, e.g. do we need SSL etc.?
==========
Answer: Yes, you are right. If we run the CEICW, and allow access to the
'Outlook Web Access' Web site service from the Internet in the 'Web
Services Configuration' page, the OWA will be configured to require SSL.

Question 3: Is it save to open the required ports on the firewall, to give
employees access?
==========
Answer: As you mentioned, you are running the SBS 2003 Premium Server, but
you don't install the ISA Server, there have a router and firewall front of
the SBS Server. If the router and firewall support UPNP, the CEICW will
automatically configure them to allow OWA access. If the router and
firewall don't support UPNP, we need to manually configure them to allow
OWA access.

Additionally, you may refer to the below information:

Ports that Enable Remote Access to SBS Services
Port 21 enable external and internal file transfer
Port 25 enable incoming and outgoing SMTP mail
Port 80 (http://) enables all nonsecure browser access, including:
internal access to IIS Webs including the company Web, Windows SharePoint
Web, Windows SharePoint administration Web, and server monitoring and usage
reports Enables internal access to Exchange by OWA and OMA clients
Port 110 enables Exchange to accept incoming POP3 mail
Port 123 (UDP port) enables the system to synchronize time with an
external Network Time Protocol (NTP) server
Port 143 enables Exchange to accept incoming IMAP4-compliant messages
Port 220 enables Exchange to accept incoming IMAP3-compliant messages
Port 443 (https://) enable all secure browser access, including
external access to Exchange for Outlook 2003, OWA, and OMA clients;
required for external access to server monitoring and usage reports
Port 444 enable internal and external access to the SharePoint Web
Port 500 enables external VPN connections by using IPSec
Port 1701 enables external L2TP VPN connections
Port 1723 enables external PPTP VPN connections
Port 3389 enables internal and external Terminal Services client
connections
Port 4125 (Note: you can change this port in RRAS) enable external OWA
access to Exchange, plus internal and external HTTPS access to the client
Web site
Port 4500 Internet Key Exchange (IKE) Network Address Translation (NAT)
traversal

I appreciate your time and cooperation. If anything is unclear, please feel
free to let me know. I am looking forward to hearing from you.

Best regards,

Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Thread-Topic: OWA access and security
>thread-index: AcWysx2Y7/rLl4waT+CrWxeL/WIgtw==
>X-WBNR-Posting-Host: 82.175.77.165
>From: "=?Utf-8?B?R2Vya28=?=" <Gerko@xxxxxxxxxxxxxxxxxxxxxxxxx>
>Subject: OWA access and security
>Date: Tue, 6 Sep 2005 00:18:01 -0700
>Lines: 17
>Message-ID: <41FF94E2-3EFD-4093-9943-B9A842260DF6@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:151089
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>There is now a need for going to work with Outlook Web Access on our
company.
>What I first like to know is what port(s) does OWA needs to access from
>outside?
>If I want to give our employees a save way to use this, what are the
safety
>issues, e.g. do we need SSL etc. ?
>
>We have a SBS2003 Premium Server with two NIC's. One for the internal
>network, on the other NIC the e-mail from outside is delivered. This NIC
is
>connected to a external router and firewall and for this NIC only port 25
is
>open. We do not use ISA.
>
>Is it save to open the required ports on the firewall, to give employees
>access?
>
>Thanks in advance,
>
>Gerko
>

.

Relevant Pages

  • RE: Remote Web Workplace
    ... 825763 How to configure Internet access in Windows Small Business Server ... Port 21 enable external and internal file transfer ... Port 80 enables all nonsecure browser access, ...
    (microsoft.public.windows.server.sbs)
  • Re: WSS 3.0 on SBS2K3 as Default Web and OWA/RPC over HTTP functionali
    ... If you need port 443 for access from the internet, what you described is possible but you'll need to have ISA installed. ... you create another web application which uses port 80 and also uses 'host headers'. ... configured for RPC over HTTP and OWA access along with ActiveSync for mobiles. ... ActiveSync works just fine. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outlook Web Access
    ... You can't simply open port 80 on your firewall and expect ... Technically, all you need is that external IP, and you can access your OWA ... the internet may choke on anything but basic authentication, ...
    (microsoft.public.exchange2000.setup.installation)
  • Re: IIS Security
    ... I think I can say we all recommend that OWA only be available via HTTPS ... (port 443), so no, closing port80 should not affect OWA. ... > the internet so I want to block internet access. ... >>>> to log into the web site. ...
    (microsoft.public.backoffice.smallbiz2000)
  • OWA - DMZ to internal Exchange 2003 Servers
    ... Has anyone know how to configure OWA from DMZ to access to ... Internet to DMZ Network Port and Protocol Requirements ...
    (microsoft.public.exchange.connectivity)