To answer your original question, the scenario you paint is inherently more risky than using some sort of proxy capability in the DMZ. That's not to say it can't be operated securely - it can - but it takes much more care and feeding. You want to monitor the traffic on all those ports you opened up, you should understand the traffic models you expect to see across those ports, and your internal firewall is Swiss-cheesed to support the DC and RPC communications. The neat thing about ISA - well there are several neat things, but in this instance - would be the reduction in number of ports you actually need to open up between the DMZ and your front-end server. Exactly one, in fact, which is pretty nifty compared to what you are using now! Again, it can be done and done securely and well, but an ISA solution is much more robust. The thing is, you need to think of the ISA box not as a firewall in this scenario, but as an extension to your messaging infrastructure. Hope that helps! Rick ________________________________ From: adrian bolzan [mailto:abolzan@xxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Tuesday, June 07, 2005 8:06 PM To: [ExchangeList] Subject: [exchangelist] RE: OWA without ISA server http://www.MSExchange.org/ Hi Andrew, thanks for your reply. Do you use ISA server? I thought to post it to the ISA list but as I am not using it and it is related to Exchange security thought this forum would be more appropriate. cheers, Adrian ________________________________ From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] Sent: Tuesday, 7 June 2005 10:10 PM To: [ExchangeList] Subject: [exchangelist] RE: OWA without ISA server http://www.MSExchange.org/ You should be asking this question in the ISAServer.org mailing list, not in the Exchange one. I use RPC over HTTP on my Exchange server 2003. I don't have any problems with it except that the odd user doesn't use Windows XP which is required to make it work. Andrew ________________________________ From: adrian bolzan [mailto:abolzan@xxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Tuesday, June 07, 2005 5:15 AM To: [ExchangeList] Subject: [exchangelist] OWA without ISA server http://www.MSExchange.org/ Hi all, We currently run Exchange 2003 with FE and BE servers. The FE server is in a DMZ, whilst the BE servers are located on the Internal/protected network. The FE servers are only accessed by staff on our WAN and selected staff via the internet (those with permanent IP addresses). We do not use ISA server, although it is on the horizon, rather using a firewall appliance that performs stateful packet inspection, DOS, etc. Currently, the FE server is part of our domain, and i have opened up all ports between the FE server and the BE server and DC's in the protected network, whilst restricting access from the internet to those with permanent IP addresses on the ADSL/cable connections. If I remember correctly, I can configure the communication between the FE server and the DC's to be over a single port, which requires registry hacks, although this has not been implemented. What are your thoughts, with respect to security, on allowing general HTTPS access to the FE server for OWA from the internet without ISA server and with the scenario i have painted above? cheers, adrian ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: andrew@xxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: abolzan@xxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx ============================================================ IMPORTANT - This email and any attachments is confidential. If received in error, please contact the sender and delete all copies of this email. Please note that any use, dissemination, further distribution or reproduction of this message in any form is strictly prohibited. Before opening or using attachments, check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files, our liability is limited to resupplying any affected attachments. Any representations or opinions expressed in this email are those of the individual sender, and not necessarily those of the Capital Transport Services. ============================================================ ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: rickb@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx ============================================================ IMPORTANT - This email and any attachments is confidential. If received in error, please contact the sender and delete all copies of this email. Please note that any use, dissemination, further distribution or reproduction of this message in any form is strictly prohibited. Before opening or using attachments, check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files, our liability is limited to resupplying any affected attachments. Any representations or opinions expressed in this email are those of the individual sender, and not necessarily those of the Capital Transport Services. ============================================================