Security Basics mailing list archives
RE: FW: Exchange Server and External Access
From: "Cherian M. Palayoor" <cpalayoor () cwalkergroup com>
Date: Tue, 26 Aug 2003 10:36:45 -0700
During my tests, it takes at least 5 minutes to load the mailboxes, calendar etc. Sending out emails with a 1 MB attachment necessitates a coffee break. Of course the possibility of bottlenecks do exist. But these are the primary reasons why vpn is not an attractive option. Regards CP -----Original Message----- From: Gabriel Orozco [mailto:gabriel_orozco () mx sumida com] Sent: Tuesday, August 26, 2003 10:26 AM To: Cherian M. Palayoor; chort Cc: security-basics () securityfocus com Subject: Re: FW: Exchange Server and External Access For a-mail, 3 hops is nothing. this is email, not live content like video or audio. my opinion. Regards ----- Original Message ----- From: "Cherian M. Palayoor" <cpalayoor () cwalkergroup com> To: "chort" <chort () amaunetsgothique com> Cc: <security-basics () securityfocus com> Sent: Monday, August 25, 2003 1:57 PM Subject: RE: FW: Exchange Server and External Access Hi there, The vpn is not an option as it would mean at least 3 more hops and more latency. Hence the necessity of setting up something on the DMZ. Regards CP -----Original Message----- From: chort [mailto:chort () amaunetsgothique com] Sent: Monday, August 25, 2003 9:46 AM To: Cherian M. Palayoor Cc: security-basics () securityfocus com Subject: Re: FW: Exchange Server and External Access On Fri, 2003-08-22 at 16:53, Cherian M. Palayoor wrote:
Thanks for the suggestions. Based on the feedback so far, there appears to 2 school of thought.... Solution 1) Have Exchange setup in a FE/BE configuration with the FE in
the
DMZ and the BE in the internal LAN. Have the FE poll the BE
through a secure link using SSL.
Problem : Too expensive, requires Exchange Enterprise and not to mention
Windows Advanced Server.
Also it may not resolve the problem as what I am primarily
hoping
to achieve here is faster access time. We presently have to traverse through a WAN cloud and 2 firewalls to get to the Internet
and
the DMZ. Solution 2) Move the Exchange Server to the DMZ and set it up either as an OWA or POP3 Server. Problem : This would affect internal user access speed and also the OWA option would negatively impact users fed on a diet of Outlook's
convenience.
Is it possible to run a third part Server like possibly Sendmail to front end Exchange ? Regards CP
Any reverse-proxy solution can do this (for OWA, or POP3/IMAP4). You can still keep your Exchange server internal and put the reverse-proxy in the DMZ. There was also another excellent suggestion regarding setting up a BSD box in the DMZ and putting a webmail application on it. The webmail app would mirror the messages from Exchange by using an IMAP4 connection (from the DMZ host to Exchange). If you're looking for cost-effective, this would be the cheapest solution. If there's a lot of latency for DMZ <-> trusted net traffic, there's really no way around that other than pre-fetching messages to a DMZ host and periodically updating them. The external user would have very fast access to the messages on the DMZ host, but would not be completely in-sync with what's in their Exchange mailbox (also you couldn't delete things out of your Exchange mailbox from the outside, since it's only a copy). Rather than trying to architect around network problems, perhaps you could discover where the latency is so high? It could very well be a network misconfiguration, or a severely overloaded piece of hardware. By the way, why is VPN not an option? -- Brian Keefer Scanned by Webshield E250 Scanned by Webshield E250 --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ---------------------------------------------------------------------------- Scanned by Webshield E250 Scanned by Webshield E250 --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- RE: Exchange Server and External Access, (continued)
- RE: Exchange Server and External Access Nick Duda (Aug 25)
- RE: Exchange Server and External Access McGill, Lachlan (Aug 25)
- RE: Exchange Server and External Access Nick Duda (Aug 26)
- Re: Exchange Server and External Access salgak (Aug 26)
- RE: FW: Exchange Server and External Access Cherian M. Palayoor (Aug 26)
- Re: FW: Exchange Server and External Access Gabriel Orozco (Aug 26)
- RE: Exchange Server and External Access Hay, Duane (Aug 26)
- RE: Exchange Server and External Access Aditya [Aditya Lalit Desgmukh] (Aug 27)
- Re: Exchange Server and External Access Valery Baranov (Aug 26)
- RE: Exchange Server and External Access Nero, Nick (Aug 26)
- RE: FW: Exchange Server and External Access Cherian M. Palayoor (Aug 26)
- Re: FW: Exchange Server and External Access Gabriel Orozco (Aug 27)
- RE: FW: Exchange Server and External Access Cherian M. Palayoor (Aug 27)
- Re: FW: Exchange Server and External Access some guy (Aug 27)