RE: OWA without ISA server

  • From: "Rick Boza" <rickb@xxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 7 Jun 2005 21:35:11 -0400

To answer your original question, the scenario you paint is inherently
more risky than using some sort of proxy capability in the DMZ.
 
That's not to say it can't be operated securely - it can - but it takes
much more care and feeding.  You want to monitor the traffic on all
those ports you opened up, you should understand the traffic models you
expect to see across those ports, and your internal firewall is
Swiss-cheesed to support the DC and RPC communications.
 
The neat thing about ISA - well there are several neat things, but in
this instance - would be the reduction in number of ports you actually
need to open up between the DMZ and your front-end server.  Exactly one,
in fact, which is pretty nifty compared to what you are using now!
 
Again, it can be done and done securely and well, but an ISA solution is
much more robust.  The thing is, you need to think of the ISA box not as
a firewall in this scenario, but as an extension to your messaging
infrastructure.
 
Hope that helps!
 
Rick

________________________________

From: adrian bolzan [mailto:abolzan@xxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, June 07, 2005 8:06 PM
To: [ExchangeList]
Subject: [exchangelist] RE: OWA without ISA server


http://www.MSExchange.org/

Hi Andrew,  
 
thanks for your reply.  Do you use ISA server?
 
I thought to post it to the ISA list but as I am not using it and it is
related to Exchange security thought this forum would be more
appropriate.
 
cheers,
Adrian
 


________________________________

        From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] 
        Sent: Tuesday, 7 June 2005 10:10 PM
        To: [ExchangeList]
        Subject: [exchangelist] RE: OWA without ISA server
        
        
        http://www.MSExchange.org/
        

        You should be asking this question in the ISAServer.org mailing
list, not in the Exchange one. I use RPC over HTTP on my Exchange server
2003. I don't have any problems with it except that the odd user doesn't
use Windows XP which is required to make it work. 

         

        Andrew

         

         

        
________________________________


        From: adrian bolzan [mailto:abolzan@xxxxxxxxxxxxxxxxxxxxxxxxx] 
        Sent: Tuesday, June 07, 2005 5:15 AM
        To: [ExchangeList]
        Subject: [exchangelist] OWA without ISA server

         

        http://www.MSExchange.org/

        Hi all,

         

        We currently run Exchange 2003 with FE and BE servers.

        The FE server is in a DMZ, whilst the BE servers are located on
the Internal/protected network.

        The FE servers are only accessed by staff on our WAN and
selected staff via the internet (those with permanent IP addresses).

        We do not use ISA server, although it is on the horizon, rather
using a firewall appliance that performs stateful packet inspection,
DOS, etc.

         

        Currently, the FE server is part of our domain, and i have
opened up all ports between the FE server and the BE server and DC's in
the protected network, whilst restricting access from the internet to
those with permanent IP addresses on the ADSL/cable connections. If I
remember correctly, I can configure the communication between the FE
server and the DC's to be over a single port, which requires registry
hacks, although this has not been implemented. 

         

        What are your thoughts, with respect to security, on allowing
general HTTPS access to the FE server for OWA from the internet without
ISA server and with the scenario i have painted above?

         

        cheers,

        adrian

          

        ------------------------------------------------------
        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
        Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Other Internet Software Marketing Sites:
        World of Windows Networking: http://www.windowsnetworking.com
        Leading Network Software Directory: http://www.serverfiles.com
        No.1 ISA Server Resource Site: http://www.isaserver.org
        Windows Security Resource Site: http://www.windowsecurity.com/
        Network Security Library: http://www.secinf.net/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------
        You are currently subscribed to this MSEXchange.org Discussion
List as: andrew@xxxxxxxxxxxxxxxxxxxxxx
        To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        Report abuse to listadmin@xxxxxxxxxxxxxx 

        ------------------------------------------------------
        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
        Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Other Internet Software Marketing Sites:
        World of Windows Networking: http://www.windowsnetworking.com
        Leading Network Software Directory: http://www.serverfiles.com
        No.1 ISA Server Resource Site: http://www.isaserver.org
        Windows Security Resource Site: http://www.windowsecurity.com/
        Network Security Library: http://www.secinf.net/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------
        You are currently subscribed to this MSEXchange.org Discussion
List as: abolzan@xxxxxxxxxxxxxxxxxxxxxxxxx
        To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        Report abuse to listadmin@xxxxxxxxxxxxxx 
============================================================
IMPORTANT - This email and any attachments is confidential.
If received in error, please contact the sender and delete
all copies of this email. Please note that any use,
dissemination, further distribution or reproduction of this
message in any form is strictly prohibited. Before opening or
using attachments, check them for viruses and defects.
Regardless of any loss, damage or consequence, whether caused
by the negligence of the sender or not, resulting directly or
indirectly from the use of any attached files, our liability
is limited to resupplying any affected attachments. 
Any representations or opinions expressed in this email are
those of the individual sender, and not necessarily those
of the Capital Transport Services.
============================================================
        

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
rickb@xxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx 
============================================================
IMPORTANT - This email and any attachments is confidential.
If received in error, please contact the sender and delete
all copies of this email. Please note that any use,
dissemination, further distribution or reproduction of this
message in any form is strictly prohibited. Before opening or
using attachments, check them for viruses and defects.
Regardless of any loss, damage or consequence, whether caused
by the negligence of the sender or not, resulting directly or
indirectly from the use of any attached files, our liability
is limited to resupplying any affected attachments. 
Any representations or opinions expressed in this email are
those of the individual sender, and not necessarily those
of the Capital Transport Services.
============================================================
        

Other related posts: