RE: OWA 2003
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Sun, 22 Jan 2006 14:44:00 -0600
Hi Breden,
I do appreciate the level of complexity of firewall configuration for
larger organizations, but that's why you have a dedicated network
security staff who manages the firewalls, manages firewall change
configuration, and works together with the rest of the organization on a
secure environment.
The downside of putting the FE servers on the same network as the BE
servers are that the FE servers are Internet facing devices, and thus
are de facto part of a different security zone than the BE Exchange
Servers, and thus, in a secure way of thinking, should not be on the
same security segment. That's why you should put them in a different
security zone/segment as the BE Exchange Servers.
The FE Exchange Servers are proxy devices, so I'm not sure what you're
asking here. However, if you're thinking of putting an ISA firewall in
front of the FE Exchange Server and using the ISA firewall's Web proxy
filter extension to its core firewall engine to reverse proxy the
connections, it still doesn't change the fact that the FE Exchange
Server is an Internet facing device. However, an ISA firewall performing
reverse Web proxy does enable you to create an authenticated access only
DMZ/perimeter network, which mitigates some of the security risks
incumbent in the typical anonymous access DMZ.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Moon, Brendan [mailto:bmoon@xxxxxx]
> Sent: Sunday, January 22, 2006 2:18 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: OWA 2003
>
> http://www.MSExchange.org/
>
> I see three other 'cons' to putting an Exchange Front-End server in a
> DMZ that have not been mentioned:
>
> 1) All OWA related Front-End <-> Back-End traffic is
> clear-text TCP/80.
> Regardless of whether or not you use SSL between the client and
> Front-End server. Depending on how much you trust your DMZ,
> you may be
> putting your e-mail content at risk of sniffing to a
> compromised server
> in the DMZ.
>
> 2) Exchange Front-End servers must be members of a domain. Many
> organizations don't like putting members of their internal
> forest/domains in a DMZ. The risk is that domain members have a level
> of inherent trust between themselves -- which you may not
> want crossing
> your DMZ/trusted enclave boundary.
>
> 3) The firewall consideration is also frequently underestimated.
> Exchange servers really should be able to talk with 'all' DCs
> and 'all'
> other Exchange servers in the same organization. So its not as simple
> as opening a few ports between a single Front-End and a
> single Back-End
> server. While a 1:1 ratio may seem to work in small
> deployments -- you
> will sacrifice functionality and reliability in larger
> environments. In
> a large enterprise a potentially compromised DMZ Front-End Exchange
> server would have open access through a firewall to many
> other critical
> servers (DCs, GCs, Exchange, etc.) in your trusted enclave(s).
>
> Thomas - perhaps you could elaborate on some of the downsides
> to reverse
> proxying a Front-End server which resides in a non-DMZ
> trusted network.
>
> - Brendan Moon
>
> -----Original Message-----
> From: Carl Houseman [mailto:c.houseman@xxxxxxxxx]
> Sent: Sunday, January 22, 2006 11:55 AM
> To: [ExchangeList]
> Subject: [exchangelist] RE: OWA 2003
>
> http://www.MSExchange.org/
>
> As always, there are two camps on this. One camp wants to
> blow holes in
> the firewall to permit the FE to talk to the BE. The other wants to
> avoid that.
>
> See "Figure 1 Secure Firewall Structure" here:
> <http://www.microsoft.com/technet/security/prodtech/exchangese
> rver/secmo
> d44.
> mspx>
>
> So, Microsoft favors the FE and BE servers on the same security zone,
> when their ISA server is used as reverse proxy.
>
> Have fun arguing with Microsoft. When you convince them and
> they change
> their document, let us know. Otherwise, we already know your opinion,
> so thanks for sharing.
>
> Carl
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Sunday, January 22, 2006 11:31 AM
> To: [ExchangeList]
> Subject: [exchangelist] RE: OWA 2003
>
> http://www.MSExchange.org/
>
> About why putting a front-end, Internet facing, Exchange Server on the
> same security zone as the back end Exchange servers. I'd like to
> understand the misconceptions that underlie that assertion, so that we
> can shoot them down and show how foolish they are.
>
> Thanks!
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: Andy David [mailto:adavid@xxxxxxxxxxxxx]
> > Sent: Sunday, January 22, 2006 10:30 AM
> > To: [ExchangeList]
> > Subject: [exchangelist] RE: OWA 2003
> >
> > http://www.MSExchange.org/
> >
> > About what?
> >
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Sunday, January 22, 2006 11:25 AM
> > To: [ExchangeList]
> > Subject: [exchangelist] RE: OWA 2003
> >
> > http://www.MSExchange.org/
> >
> > Hi Andy,
> >
> > You are patently WRONG about that. Where did you get such incorrect
> > advice? Because whoever told you that is most definitely
> not security
> > minded.
> >
> > You might want to share the rationale you used for this
> assertion so
> > that we can shoot it down sequentially and rationally.
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> > > -----Original Message-----
> > > From: Andy David [mailto:adavid@xxxxxxxxxxxxx]
> > > Sent: Saturday, January 21, 2006 9:57 PM
> > > To: [ExchangeList]
> > > Subject: [exchangelist] RE: OWA 2003
> > >
> > > http://www.MSExchange.org/
> > >
> > > http://www.microsoft.com/downloads/details.aspx?FamilyID=E6466
> > > 6FC-42B7-4
> > > 8A1-AB85-3C8327D77B70&displaylang=en
> > >
> > >
> > > Don't put it in the DMZ however. That's just foolish. Put a
> > > reverse-proxy in the DMZ if you must. Otherwise, keep the
> Front End
> > > server behind your firewall.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Dave Flaim [mailto:thethin@xxxxxxxxxxxxxxxxxxxxxxx]
> > > Sent: Saturday, January 21, 2006 10:41 PM
> > > To: [ExchangeList]
> > > Subject: [exchangelist] OWA 2003
> > >
> > > http://www.MSExchange.org/
> > >
> > > Is it possible to install OWA on a separate server than
> the Excange
> > > 2003 server - ie. we would like to place he OWA server in
> > the DMZ. Of
> >
> > > so does anyone have a procedure or reference?
> > >
> > > Thanks
> > > Dave Flaim
> > > CVI
>
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this MSExchange.org
> Discussion List as:
> bmoon@xxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to info@xxxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this MSExchange.org
> Discussion List as: tshinder@xxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to info@xxxxxxxxxxxxxx
>
>
Other related posts:
