FW: Deploying Exchange 2003

  • From: "Mulnick, Al" <Al.Mulnick@xxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 30 Dec 2003 09:52:01 -0500

It's an interesting thought Alex.  I think that concept still comes back to
trusting a single appliance (Ironmail in this case, but could have been ISA,
Squid, or any other layer-7 firewall/proxy device) for your security.  In
your case, you took it a step further and put OWA in a separate zone as well
I presume in case an attacker gets past the appliance.  But I wonder if
that's helpful or meets the clients requirements?  What I mean is this: If I
open all the ports from the OWA zone to the rest of the network, what's the
point of separating it off?  FE to BE communication only requires TCP 80 to
Exchange but unfortunately needs a lot more to communicate with the Active
Directory.  Once you've given all of the access required, you may as well
have put it on the internal network altogether due to the high amount of
ports set to allow traffic.  In the end, it's a lot more complexity, without
a lot of return (IMHO).  
So I'm curious to know what the expectation is of a separate OWA zone?  I'm
interested to learn more about the concept if you can spare the time.


From: Alejandro Contreras [mailto:acontreras@xxxxxx] 
Sent: Tuesday, December 30, 2003 9:40 AM
To: [ExchangeList]
Subject: [exchangelist] Deploying Exchange 2003


Hi, just for food for thought...
Exchange on the internal network, a separate security zone for OWA with all
necessary ports open between the production network (where Exchange lives)
and the OWA zone. Get a mail relay server called Ironmail that does AV,
proxing, IDS, etc, and put that on the DMZ. Open up port 80 between the DMZ
and OWA zone only. The untrusted network gets access to the OWA through
ironmail's proxying through https:// (ssl) on port 443.
Just a thought.

-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx]
Sent: Tuesday, December 30, 2003 9:28 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Deploying Exchange 2003


As you read those docs, you'll start to see some more information on this
and see what John is talking about.  There is a lot of question and thought
on the subject of security.  I'd bet if you ask 10 people about security,
you'll get at least 14 different opinions about what's right.  For example,
if you use HTTPS to your internal network, what's the risk? If you put the
Exchange server in the DMZ, what's the risk?  Are you willing to accept
whatever risk is present in either of those architectures? Is there a
difference to the customer if you expose Exchange backend servers to the
internet (a HTTPS path to your internal network?) or is it more acceptable
to have a HTTPS stream terminate in the DMZ, and then open all the needed
ports and protocols to get a connection from the DMZ to all of your Active
Directory?  Does your client have a packet filtering firewall or a layer-7
firewall?  Do they have security policies?  How does either solution fit in
with the policies if they have them?
In the docs, you'll see Microsoft's recommendations.  I'd suggest that you
understand those risks and understand why they recommend what they
recommend.  Also understand why they change their recommendations on a
regular basis as new threats become known.


From: so cal [mailto:socal4tens@xxxxxxxxx] 
Sent: Monday, December 29, 2003 5:43 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Deploying Exchange 2003

Thanks John

"John Tolmachoff (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> wrote: 


If you properly secure it, it should be on the inside, as if in the DMZ, you
will have to open a bunch of ports for proper domain communication.


John Tolmachoff


eServices For You


-----Original Message-----
From: so cal [mailto:socal4tens@xxxxxxxxx] 
Sent: Monday, December 29, 2003 2:12 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Deploying Exchange 2003



Hello Al,


Thank you very much for the quick advice. I will certainly read the link
that you sent. One more question that comes to mind is the placement of the
server since it is being accessed internally and externally. Should it be in
a DMZ or is it safe enough inside running https.


Thanks for help Al

"Mulnick, Al" <Al.Mulnick@xxxxxxxxxx> wrote:


Some reading would be good. http://www.microsoft.com/exchange/library

That said, here's a few things to consider:

Win95 can access OWA; more importantly, it's IE5.5 which works with OWA.
One server should be fine and it *could* be your Active Directory and
Exchange server. However, there are some risks that need to be understood
with that. Read the docs for more information.

HTTPS is a best practice. Better practice is to use ISA to secure it :)

I would use a public cert, but you could gen your own certs for HTTPS if you


-----Original Message-----
From: socal4tens@xxxxxxxxx [mailto:socal4tens@xxxxxxxxx] 
Sent: Monday, December 29, 2003 5:19 PM
To: [ExchangeList]
Subject: [exchangelist] Deploying Exchange 2003



I have been asked to setup an Exchange 2003 server for a company. They want
web access only, from inside (local lan) and outside (remote internet
users). Their infrastructure is NT4, Win2k and Novell with 60 clients most
of which are on windows 95 and old slow equipment. They are looking for the
web access so they can keep the old equipment in place while using IE to
access the mail. Can anyone give me an idea of what is involved in setting
this up? Some questions I have are as follows:

1. Can Win95 access W2k3 via owa internally as well as externally 2. Will IE
5.5 work on win95 clients connecting to W2k3 3. Do I need 2 servers, a front
end and back end 4. Will I need to install AD if it is not already installed
within the infrastructure.
5. Is it best practice to run HTTPS?
6. Do I need to run certificate services

Thank you,

Other related posts:

  • » FW: Deploying Exchange 2003