|
|
Focus on Microsoft
RE: Website inside or outside domain Feb 12 2003 09:00PM KEITH KOOYMAN (pcsolutions101 hotmail com) (1 replies) Re: Website inside or outside domain Feb 13 2003 04:22PM D. Ian Miller (miller ucalgary ca) (1 replies) |
|
Privacy Statement |
Subsequent patches will require the original re-writes again plus new
ones. Plus there's no support for MS WebDAV is there? So in OWA 2000,
you lose the advanced and pretty features. No?
ISA is not a fix at all as it uses IIS to receive the requests. So,
what is the point of putting one IIS server in front of another?
-----Original Message-----
From: D. Ian Miller [mailto:miller (at) ucalgary (dot) ca [email concealed]]
Sent: Thursday, February 13, 2003 10:23 AM
To: KEITH KOOYMAN
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Website inside or outside domain
The one time I implemented OWA, I wrestled long and hard with how to
minimize
the security risks while giving the users the convenience of accessing
their
email via the www. I came across a rather unique solution which worked
well in
my environment.
Instead of dishing out more cash for ISA, I used a redhat Linux 7.x PII
PC in
the DMZ with about 128-MB RAM to act as proxy (using apache's mod_proxy)
to the
IIS OWA website. The IIS OWA website was on the LAN and it in turn
talked to
the exchange server on the LAN. Having the Linux box also allowed the
additional advantage of adding SSL (using apache mod_ssl) to the data
stream
between the end user and the Linux box itself. The firewall was then
configured to only allow traffic between the Apache and IIS box. I also
had to
modify some of the asp code that comes with OWA to make this work.
KEITH KOOYMAN wrote:
> As I have followed this thread I have noticed that no one has
addressed the
> similarities between this situation and OWA. Essentially, this is
much the
> same scenario, where a public web server is in the DMZ and the
question is:
> How do I allow access to the back-end Exchange Server?
>
> You can:
> 1. Put a firewall between the DMX and the LAN (many firewalls have a
> preconfigured DMZ so a second firewall is not needed) and open up so
many
> ports from the DMZ to the LAN that the firewall is useless = the
official
> Microsoft solution
> 2. You can leave the front-end in the DMZ and use pass-through
> authentication which takes web traffic straight to your back-end =
not
> desireable
> 3. Multi-home the front-end public web server, use TCP/IP filters,
IPSEC
> and firewall rules to filter, authenticate and encrypt traffic going
to the
> back-end; a good idea but time consuming and difficult to set up
> 4. Move the front-end public web server to the LAN = not desirable
> 5. Use a third party hybrid solution = expensive
>
> Does anyone else have a take on this Exchange point of view on the
public
> web server?
>
> KC
>
> _________________________________________________________________
> MSN 8 with e-mail virus protection service: 2 months FREE*
> http://join.msn.com/?page=features/virus
[ reply ]