RE: FE Server / OWA Hardware question

  • From: "Simon Butler" <simon@xxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Sat, 19 Nov 2005 00:27:00 -0000

OWA must run on a domain member, so it doesn't go in the DMZ. 
 
You need to run something that will work on a workgroup type machine -
remove the requirement for the domain. Another proxy machine would work
- if it is compatible with OWA. Remember that OWA is a very complex
application and is broken very easily by proxy servers. 
 
I have just done an Exchange deployment for a UK finance house. I did
what I have outlined below, with the usual stuff of adding an SSL
certificate etc. The ISA server was able to be locked down because it
wasn't in the domain and their internal security people were very happy.
Take a look at the hardening documents from Microsoft to see what you
can do to secure a machine. 
 
Simon.

________________________________

From: EIS Lists [mailto:eis_lists@xxxxxxxxxxxxx] 
Sent: 19 November 2005 00:19
To: [ExchangeList]
Subject: [exchangelist] RE: FE Server / OWA Hardware question


http://www.MSExchange.org/


Thanks for the tips. Ok. So no reason to put an FE in the DMZ. What
about the IIS box? Can you place the IIS box in the DMZ? Can you run OWA
on a non-domain IIS machine? Does do anything to enhance security? 

 

Also, re your suggestion of an ISA box: would some other sort of proxy
machine work just as well?

 

-- nme

 

________________________________

From: Simon Butler [mailto:simon@xxxxxxxxxxxx] 
Sent: Friday, November 18, 2005 3:49 PM
To: [ExchangeList]
Subject: [exchangelist] RE: FE Server / OWA Hardware question

 

http://www.MSExchange.org/

What do you think putting a front-end server does for you? Increase your
security? With the large number of ports that you have to open in the
firewall, plus other changes to the configuration of the Exchange org,
the security "gains" are lost. Your machine in the DMZ gets compromised
and the attacker has a clear run in to your network. 

 

A dmz is no place for a member of the production domain.

Every machine in the DMZ you should be prepared to loose at a moments
notice and replace with another. 

 

The most common reason for wanting to put a server in the DMZ is to
avoid exposing the Exchange server directly to the Internet. 
If that is the case you would be better of spending the cash on
something like an ISA server installed on a machine that is part of a
workgroup. That will publish what you need to the internet and limit
your exposure. 

 

For many of my smaller clients I am content to just open port 25 (smtp)
and 443 (https) to the internet. It is far easier to monitor those two
ports than the large number of ports that you need to open for a domain
member to function properly.

 

Simon.

 

--
Simon Butler
MCP, MCSA, MVP:Exchange
Amset IT Solutions Ltd.

e: simon@xxxxxxxxxxxx
w: www.amset-it.com
w: www.amset.info 

 

________________________________

From: EIS Lists [mailto:eis_lists@xxxxxxxxxxxxx] 
Sent: 18 November 2005 22:53
To: [ExchangeList]
Subject: [exchangelist] FE Server / OWA Hardware question

http://www.MSExchange.org/

Hi -

 

I am constructing a small E2k3 environment (roughly 150 users total).
However, I would like to place a FE server in the DMZ and leave the BE
server inside the local network. I also want to setup an OWA host (that
is, an IIS server). 

 

Is it possible to put these on the same box? What are the potential
problems with that?

What type of hardware should I be looking at for that? (E.g, Dell
PowerEdge 850 3.0GHz with 80GB SATAs in RAID1 and 2GB RAM)

Am I increasing the risk to the box if I also host other IIS sites on
it?

Should I give those services different public addresses?

 

Thanks.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
exchange-list3@xxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.4/175 - Release Date:
11/18/2005

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
eis_lists@xxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
exchange-list3@xxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx 


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.4/175 - Release Date:
11/18/2005



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.4/175 - Release Date:
11/18/2005


Other related posts: