RE: OWA 2003

  • From: "David Sierra Fernandez" <SieFerDa@xxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 2 Feb 2006 12:56:47 +0100

Yes but you are assuming that everybody uses a ISA server between FE and
BEs , what about those we are using other firewalls.....openning the
ports in order to communicate FE with BEs could be a tediuos and
dificult job. We have all the exchange servers internally.

I wouldn't suggest to put the FE in the DMZ unless you have a ISA
server.

--Sierr@--

-----Mensaje original-----
De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Enviado el: domingo, 22 de enero de 2006 21:35
Para: [ExchangeList]
Asunto: [exchangelist] RE: OWA 2003

http://www.MSExchange.org/

Hi Brendan,
I think the problem most folks have is that they see DMZs as "one size
fits all" and haven't yet appreciated the concept of DMZs as security
zone, where each DMZ or perimeter includes hosts belonging to the same
security zone.

Indeed, the traffic between the front-end and back-end Exchange Servers
must be over 80, and some would argue that you might use IPSec transport
mode to secure the communications, but then that would hide what's in
the tunnel from the firewall, and you might end up worse than having the
FE and BE on the same security zone.

Instead, you place the FE in an authenticated only DMZ, so that while
the FE is an Internet facing host, its not the same as an anonymous
access DMZ, as demonstrated clearly in this article:

http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters
-Multihomed-ISA-Firewall-Part1.html

In fact, if you read that article it will answer all your questions and
you'll likely agree with me. The only argument I've heard from even
folks within Microsoft is "that might introduce too much complexity for
our customers". Agreed. But for Microsoft network security consultants,
for which it is their job to create the most secure configuration
possible using the tools they have available, there's no reason not to
go with the designs I described in that article series.

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Moon, Brendan [mailto:bmoon@xxxxxx]
> Sent: Sunday, January 22, 2006 2:18 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: OWA 2003
> 
> http://www.MSExchange.org/
> 
> I see three other 'cons' to putting an Exchange Front-End server in a 
> DMZ that have not been mentioned:
> 
> 1) All OWA related Front-End <-> Back-End traffic is clear-text 
> TCP/80.
> Regardless of whether or not you use SSL between the client and 
> Front-End server.  Depending on how much you trust your DMZ, you may  
> be putting your e-mail content at risk of sniffing to a compromised 
> server in the DMZ.
> 
> 2) Exchange Front-End servers must be members of a domain.  Many 
> organizations don't like putting members of their internal 
> forest/domains in a DMZ.  The risk is that domain members have a level

> of inherent trust between themselves -- which you may not want 
> crossing your DMZ/trusted enclave boundary.
> 
> 3) The firewall consideration is also frequently underestimated.
> Exchange servers really should be able to talk with 'all' DCs and 
> 'all'
> other Exchange servers in the same organization.  So its not as simple

> as opening a few ports between a single Front-End and a single 
> Back-End server.  While a 1:1 ratio may seem to work in small 
> deployments -- you will sacrifice functionality and reliability in 
> larger environments.  In a large enterprise a potentially compromised 
> DMZ Front-End Exchange server would have open access through a 
> firewall to many other critical servers (DCs, GCs, Exchange, etc.) in 
> your trusted enclave(s).
> 
> Thomas - perhaps you could elaborate on some of the downsides to 
> reverse proxying a Front-End server which resides in a non-DMZ trusted

> network.
>  
>  - Brendan Moon
> 
> -----Original Message-----
> From: Carl Houseman [mailto:c.houseman@xxxxxxxxx]
> Sent: Sunday, January 22, 2006 11:55 AM
> To: [ExchangeList]
> Subject: [exchangelist] RE: OWA 2003
> 
> http://www.MSExchange.org/
> 
> As always, there are two camps on this.  One camp wants to blow holes 
> in the firewall to permit the FE to talk to the BE.  The other wants 
> to avoid that.
> 
> See "Figure 1 Secure Firewall Structure" here:
> <http://www.microsoft.com/technet/security/prodtech/exchangese
> rver/secmo
> d44.
> mspx>
> 
> So, Microsoft favors the FE and BE servers on the same security zone, 
> when their ISA server is used as reverse proxy.
> 
> Have fun arguing with Microsoft.  When you convince them and they 
> change their document, let us know.  Otherwise, we already know your 
> opinion, so thanks for sharing.
> 
> Carl
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Sunday, January 22, 2006 11:31 AM
> To: [ExchangeList]
> Subject: [exchangelist] RE: OWA 2003
> 
> http://www.MSExchange.org/
> 
> About why putting a front-end, Internet facing, Exchange Server on the

> same security zone as the back end Exchange servers. I'd like to 
> understand the misconceptions that underlie that assertion, so that we

> can shoot them down and show how foolish they are.
> 
> Thanks!
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
>  
> 
> > -----Original Message-----
> > From: Andy David [mailto:adavid@xxxxxxxxxxxxx]
> > Sent: Sunday, January 22, 2006 10:30 AM
> > To: [ExchangeList]
> > Subject: [exchangelist] RE: OWA 2003
> > 
> > http://www.MSExchange.org/
> > 
> > About what? 
> > 
> > 
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Sunday, January 22, 2006 11:25 AM
> > To: [ExchangeList]
> > Subject: [exchangelist] RE: OWA 2003
> > 
> > http://www.MSExchange.org/
> > 
> > Hi Andy,
> > 
> > You are patently WRONG about that. Where did you get such incorrect 
> > advice? Because whoever told you that is most definitely
> not security
> > minded.
> > 
> > You might want to share the rationale you used for this
> assertion so
> > that we can shoot it down sequentially and rationally.
> > 
> > Tom
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: Andy David [mailto:adavid@xxxxxxxxxxxxx]
> > > Sent: Saturday, January 21, 2006 9:57 PM
> > > To: [ExchangeList]
> > > Subject: [exchangelist] RE: OWA 2003
> > > 
> > > http://www.MSExchange.org/
> > > 
> > > http://www.microsoft.com/downloads/details.aspx?FamilyID=E6466
> > > 6FC-42B7-4
> > > 8A1-AB85-3C8327D77B70&displaylang=en
> > > 
> > > 
> > > Don't put it in the DMZ however. That's just foolish. Put a 
> > > reverse-proxy in the DMZ if you must. Otherwise, keep the
> Front End
> > > server behind your firewall.
> > > 
> > > 
> > > 
> > > -----Original Message-----
> > > From: Dave Flaim [mailto:thethin@xxxxxxxxxxxxxxxxxxxxxxx]
> > > Sent: Saturday, January 21, 2006 10:41 PM
> > > To: [ExchangeList]
> > > Subject: [exchangelist] OWA 2003
> > > 
> > > http://www.MSExchange.org/
> > > 
> > > Is it possible to install OWA on a separate server than
> the Excange
> > > 2003 server - ie. we would like to place he OWA server in
> > the DMZ.  Of
> > 
> > > so does anyone have a procedure or reference?
> > > 
> > > Thanks
> > > Dave Flaim
> > > CVI
> 
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this MSExchange.org Discussion List 
> as:
> bmoon@xxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to info@xxxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this MSExchange.org Discussion List 
> as: tshinder@xxxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to info@xxxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
sieferda@xxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to info@xxxxxxxxxxxxxx


Other related posts: