The one time I implemented OWA, I wrestled long and hard with how to minimize
the security risks while giving the users the convenience of accessing their
email via the www. I came across a rather unique solution which worked well in
my environment.
Instead of dishing out more cash for ISA, I used a redhat Linux 7.x PII PC in
the DMZ with about 128-MB RAM to act as proxy (using apache's mod_proxy) to the
IIS OWA website. The IIS OWA website was on the LAN and it in turn talked to
the exchange server on the LAN. Having the Linux box also allowed the
additional advantage of adding SSL (using apache mod_ssl) to the data stream
between the end user and the Linux box itself. The firewall was then
configured to only allow traffic between the Apache and IIS box. I also had to
modify some of the asp code that comes with OWA to make this work.
KEITH KOOYMAN wrote:
> As I have followed this thread I have noticed that no one has addressed the
> similarities between this situation and OWA. Essentially, this is much the
> same scenario, where a public web server is in the DMZ and the question is:
> How do I allow access to the back-end Exchange Server?
>
> You can:
> 1. Put a firewall between the DMX and the LAN (many firewalls have a
> preconfigured DMZ so a second firewall is not needed) and open up so many
> ports from the DMZ to the LAN that the firewall is useless = the official
> Microsoft solution
> 2. You can leave the front-end in the DMZ and use pass-through
> authentication which takes web traffic straight to your back-end = not
> desireable
> 3. Multi-home the front-end public web server, use TCP/IP filters, IPSEC
> and firewall rules to filter, authenticate and encrypt traffic going to the
> back-end; a good idea but time consuming and difficult to set up
> 4. Move the front-end public web server to the LAN = not desirable
> 5. Use a third party hybrid solution = expensive
>
> Does anyone else have a take on this Exchange point of view on the public
> web server?
>
> KC
>
> _________________________________________________________________
> MSN 8 with e-mail virus protection service: 2 months FREE*
> http://join.msn.com/?page=features/virus
the security risks while giving the users the convenience of accessing their
email via the www. I came across a rather unique solution which worked well in
my environment.
Instead of dishing out more cash for ISA, I used a redhat Linux 7.x PII PC in
the DMZ with about 128-MB RAM to act as proxy (using apache's mod_proxy) to the
IIS OWA website. The IIS OWA website was on the LAN and it in turn talked to
the exchange server on the LAN. Having the Linux box also allowed the
additional advantage of adding SSL (using apache mod_ssl) to the data stream
between the end user and the Linux box itself. The firewall was then
configured to only allow traffic between the Apache and IIS box. I also had to
modify some of the asp code that comes with OWA to make this work.
KEITH KOOYMAN wrote:
> As I have followed this thread I have noticed that no one has addressed the
> similarities between this situation and OWA. Essentially, this is much the
> same scenario, where a public web server is in the DMZ and the question is:
> How do I allow access to the back-end Exchange Server?
>
> You can:
> 1. Put a firewall between the DMX and the LAN (many firewalls have a
> preconfigured DMZ so a second firewall is not needed) and open up so many
> ports from the DMZ to the LAN that the firewall is useless = the official
> Microsoft solution
> 2. You can leave the front-end in the DMZ and use pass-through
> authentication which takes web traffic straight to your back-end = not
> desireable
> 3. Multi-home the front-end public web server, use TCP/IP filters, IPSEC
> and firewall rules to filter, authenticate and encrypt traffic going to the
> back-end; a good idea but time consuming and difficult to set up
> 4. Move the front-end public web server to the LAN = not desirable
> 5. Use a third party hybrid solution = expensive
>
> Does anyone else have a take on this Exchange point of view on the public
> web server?
>
> KC
>
> _________________________________________________________________
> MSN 8 with e-mail virus protection service: 2 months FREE*
> http://join.msn.com/?page=features/virus
[ reply ]