Just checking. It looked from your post that you were not advocating that. If someone were to only use SSL and allow access via TCP 443, then that would be a secure channel that IDS traditionally can't look at. I was curiuos how you wanted to handle that. I'm assuming from your last post you are indicating a layer-7 device that's capable of SSL bridging or something that can terminate and proxy the SSL connection. "I would have an intrusion prevention and intrusion detection firewall (can be had for less than $1000 for small to medium business) in-front of it." -----Original Message----- From: Danny [mailto:nocmonkey@xxxxxxxxx] Sent: Tuesday, October 12, 2004 2:08 PM To: [ExchangeList] Subject: [exchangelist] Re: Making sure OWA is secure http://www.MSExchange.org/ On Tue, 12 Oct 2004 12:28:22 -0400, Mulnick, Al <al.mulnick@xxxxxxxxxx> wrote: > http://www.MSExchange.org/ > > Danny, do you have a server with only 443TCP access on the internet? No -- it's IPSec VPN or nothing from the Internet into my network. But, if you had a dedicated OWA (front-end) server with SSL based OWA, what other essential ports would you need open for an external (Internet) interface? > What was your thinking for this type of setup and what does it provide > your company? Obviously if your OWA/Exchange server was not dedicated to the role and also received and delivered email via SMTP, then you would open up port 25, but, in my case, I never allow Microsoft services respond directly to TCP/IP traffic from the Internet. For example, I have a Postfix based MTA setup as the SMTP gateway for all incoming and outgoing email traffic. If I did have an OWA server, I would have an intrusion prevention and intrusion detection firewall (can be had for less than $1000 for small to medium business) in-front of it. > As long as we're viewing that as recommendation? Lettah was very brief with his/her question, so I was very brief with my answer. Lets call them a list of tips. When I have more information about requirements, budget, environment, personnel responsible after implementing, etc., then I will make more of a recommendation based on my experience and research. ...D ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: al.mulnick@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx