Exchange 2003 OWA security questions

[MHawkins () TULLIB COM]

Hi guys and gals,

We use CheckPoint/Nokia with multiple DMZ's including a web server farm DMZ.


Our Microsoft admin wants to multihome an ISA server on our web dmz with the
other NIC connected to our internal network to allow the ISA to talk to the
internal MS OWA front end server which then talks to the exchange server
(sheesh!). All this to allow users on the internet to access exchange via a
web browser.

I've read alot of the documentation on the whole Windows2003 Exchange web
pages solution and I think Microsoft is trying to bad mouth other firewalls
while touting their own proxy/packet firewall as good as or better than "the
rest of the world". Problem is, checkpoint/Nokia is a far better technical
solution compared to MS ISA (MS bigots take a deep breath and count to ten).

I asked the MS admin to single home his ISA or forget about ISA altogether
and just run a front end server in the web dmz. The idea of breaking our
Checkpoint architecture with an ISA that multihomes between the internal
network and our web dmz is just too much to ask a decent security admin
don't you think. Now I need ammunition to press the point home.

A few questions:

i) If any of you run an ISA for tunneling for the front end server I'd like
to hear if you were able to do it using single homing (the doco says it's
possible but not recommended and our MS admin says he can't get it to work.
ii) Scrap the ISA server, I think the front end server should be on the web
dmz. Does everyone agree with this? Yes, I know I have to open up all those
nasty MS ports but atleast I can restrict it to talking to the DC's and a
few other boxes - those would be hardened machines anyways.
iii) I think the MS admin should just run a front end server internally and
also another front end server on the web dmz. That way, you can harden the
web dmz machine properly but don't have to worry about the one that's only
for internal use (ok not too much worry). Make sense?

Any other general comments are much appreciated and welcome.

Keep rockin',

Mike Hawkins"Disclaimer: This electronic mail is intended only for the use
of the addressee(s)named herein. Unless otherwise specifically stated, the
views contained and expressed in this electronic mail are strictly those of
the individual sender and are not the views of the Company or any of its
Directors or other employees. If you are not the intended recipient of this
electronic mail, you are hereby notified that any dissemination,
distribution or coping of this electronic mail is strictly prohibited. If
you received this electronic mail in error please immediately notify us by
return electronic mail and delete this electronic mail from your system."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards