Deploying Exchange 2003

  • From: Alejandro Contreras <acontreras@xxxxxx>
  • To: "'exchangelist@xxxxxxxxxxxxx'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 30 Dec 2003 09:39:30 -0500

Hi, just for food for thought...
 
Exchange on the internal network, a separate security zone for OWA with all
necessary ports open between the production network (where Exchange lives)
and the OWA zone. Get a mail relay server called Ironmail that does AV,
proxing, IDS, etc, and put that on the DMZ. Open up port 80 between the DMZ
and OWA zone only. The untrusted network gets access to the OWA through
ironmail's proxying through https:// (ssl) on port 443.
 
Just a thought.
 
Cheers,
 
Alex. 

-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx]
Sent: Tuesday, December 30, 2003 9:28 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Deploying Exchange 2003


http://www.MSExchange.org/

As you read those docs, you'll start to see some more information on this
and see what John is talking about.  There is a lot of question and thought
on the subject of security.  I'd bet if you ask 10 people about security,
you'll get at least 14 different opinions about what's right.  For example,
if you use HTTPS to your internal network, what's the risk? If you put the
Exchange server in the DMZ, what's the risk?  Are you willing to accept
whatever risk is present in either of those architectures? Is there a
difference to the customer if you expose Exchange backend servers to the
internet (a HTTPS path to your internal network?) or is it more acceptable
to have a HTTPS stream terminate in the DMZ, and then open all the needed
ports and protocols to get a connection from the DMZ to all of your Active
Directory?  Does your client have a packet filtering firewall or a layer-7
firewall?  Do they have security policies?  How does either solution fit in
with the policies if they have them?
 
 
In the docs, you'll see Microsoft's recommendations.  I'd suggest that you
understand those risks and understand why they recommend what they
recommend.  Also understand why they change their recommendations on a
regular basis as new threats become known.
 
Luck,
 
Al

  _____  

From: so cal [mailto:socal4tens@xxxxxxxxx] 
Sent: Monday, December 29, 2003 5:43 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Deploying Exchange 2003


http://www.MSExchange.org/ 
Thanks John

"John Tolmachoff (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> wrote: 

http://www.MSExchange.org/


If you properly secure it, it should be on the inside, as if in the DMZ, you
will have to open a bunch of ports for proper domain communication.

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: so cal [mailto:socal4tens@xxxxxxxxx] 
Sent: Monday, December 29, 2003 2:12 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Deploying Exchange 2003

 

http://www.MSExchange.org/ 

Hello Al,

 

Thank you very much for the quick advice. I will certainly read the link
that you sent. One more question that comes to mind is the placement of the
server since it is being accessed internally and externally. Should it be in
a DMZ or is it safe enough inside running https.

 

Thanks for help Al

"Mulnick, Al" <Al.Mulnick@xxxxxxxxxx> wrote:

http://www.MSExchange.org/

Some reading would be good. http://www.microsoft.com/exchange/library

That said, here's a few things to consider:

Win95 can access OWA; more importantly, it's IE5.5 which works with OWA.
One server should be fine and it *could* be your Active Directory and
Exchange server. However, there are some risks that need to be understood
with that. Read the docs for more information.

HTTPS is a best practice. Better practice is to use ISA to secure it :)

I would use a public cert, but you could gen your own certs for HTTPS if you
wanted. 

Al 

-----Original Message-----
From: socal4tens@xxxxxxxxx [mailto:socal4tens@xxxxxxxxx] 
Sent: Monday, December 29, 2003 5:19 PM
To: [ExchangeList]
Subject: [exchangelist] Deploying Exchange 2003

http://www.MSExchange.org/

Hello,

I have been asked to setup an Exchange 2003 server for a company. They want
web access only, from inside (local lan) and outside (remote internet
users). Their infrastructure is NT4, Win2k and Novell with 60 clients most
of which are on windows 95 and old slow equipment. They are looking for the
web access so they can keep the old equipment in place while using IE to
access the mail. Can anyone give me an idea of what is involved in setting
this up? Some questions I have are as follows:

1. Can Win95 access W2k3 via owa internally as well as externally 2. Will IE
5.5 work on win95 clients connecting to W2k3 3. Do I need 2 servers, a front
end and back end 4. Will I need to install AD if it is not already installed
within the infrastructure.
5. Is it best practice to run HTTPS?
6. Do I need to run certificate services

Thank you,


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------


  _____  


Do you Yahoo!?
Protect your identity with  <http://antispam.yahoo.com/whatsnewfree> Yahoo!
Mail AddressGuard ------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------ Other Internet
Software Marketing Sites: Leading Network Software Directory:
http://www.serverfiles.com No.1 ISA Server Resource Site:
http://www.isaserver.org Windows Security Resource Site:
http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------ 



  _____  

Do you Yahoo!?
Protect  <http://antispam.yahoo.com/whatsnewfree> your identity with Yahoo!
Mail AddressGuard ------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------ Other Internet
Software Marketing Sites: Leading Network Software Directory:
http://www.serverfiles.com No.1 ISA Server Resource Site:
http://www.isaserver.org Windows Security Resource Site:
http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------ 

Other related posts: