OWA is not sending smtp data to your exchange server; it is authenticating your users to your domain controller. So, it needs the crown jewels, cached or otherwise. Own the OWA machine, and you can sniff the credentials being passed to the DC or whathaveyou. The OWA most definitely contains company data, like, it is part of the domain. -----Original Message----- From: Shonk, Joe - Perot [mailto:JShonk@xxxxxxx] Sent: Tuesday, February 10, 2004 2:40 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: OT: Exchange placement Not really, most decent firewalls will Proxy/Inspect SMTP traffic as it is coming into the network. It's just as secure (if not more) that a SMTP gateway/relay in the DMZ. The same goes with VPN. Second, putting an Exchange server in the DMZ is worse than OWA. An OWA box does not contain company data as an Exchange Server might. Joe -----Original Message----- From: Henry Sieff [mailto:hsieff@xxxxxxxxxxxx] Sent: Tuesday, February 10, 2004 1:05 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: OT: Exchange placement Well, the holes necessary pretty much make the DMZ pointless, anyways. Put the exchange server in A dmz, with a certificate-based VPN host, and you might have a secure solution, but OWA in the dmz, with RPC/domain authentication stuff opened up, is no better (security-wise) then just putting an exchange server in the DMZ and using citrix to connect to it. -----Original Message----- From: Paul Bergson (MP) [mailto:pbergson@xxxxxxxxxxx] Sent: Tuesday, February 10, 2004 10:21 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: OT: Exchange placement Why would you want to put exchange in the dmz? If you want external clients to get at their internal e-mail then place owa in the dmz and pop holes in the firewall to your exchange server. Thanks Paul -----Original Message----- From: Michael Boggan [mailto:MBoggan@xxxxxxxxxxx] Sent: Tuesday, February 10, 2004 9:43 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: OT: Exchange placement Are you going to be usign the AD from your internal network? I am not a guru or anything but i don't think you would be able to if you were outside the network. you'd have to enter all your users in the external box as well. _________________________________ Michael Boggan Network Engineer/Citrix Admin Virtual Desktop Inc. Dallas, Texas Ph: (972) 960-6400 Fax: (972) 960-6445 email: mboggan@xxxxxxxxxxx http://www.virtualdesktopinc.com <http://www.virtualdesktopinc.com/> _________________________________ For Technical Support during business hours please send email to support@xxxxxxxxxxx or call the above toll free number for afterhours support. -----Original Message----- From: Scott [mailto:sreichardt@xxxxxxx] Sent: Monday, February 09, 2004 4:38 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] OT: Exchange placement Im trying to decide whether to put my exchange 2003 server inside the network and map port 25 or put it on the DMZ. Any recommendations? Thanks, Scott