Firewall Wizards mailing list archives
Exchange 2003 OWA security questions
From: MHawkins () TULLIB COM
Date: Tue, 18 Jan 2005 20:46:38 -0500
Hi guys and gals, We use CheckPoint/Nokia with multiple DMZ's including a web server farm DMZ. Our Microsoft admin wants to multihome an ISA server on our web dmz with the other NIC connected to our internal network to allow the ISA to talk to the internal MS OWA front end server which then talks to the exchange server (sheesh!). All this to allow users on the internet to access exchange via a web browser. I've read alot of the documentation on the whole Windows2003 Exchange web pages solution and I think Microsoft is trying to bad mouth other firewalls while touting their own proxy/packet firewall as good as or better than "the rest of the world". Problem is, checkpoint/Nokia is a far better technical solution compared to MS ISA (MS bigots take a deep breath and count to ten). I asked the MS admin to single home his ISA or forget about ISA altogether and just run a front end server in the web dmz. The idea of breaking our Checkpoint architecture with an ISA that multihomes between the internal network and our web dmz is just too much to ask a decent security admin don't you think. Now I need ammunition to press the point home. A few questions: i) If any of you run an ISA for tunneling for the front end server I'd like to hear if you were able to do it using single homing (the doco says it's possible but not recommended and our MS admin says he can't get it to work. ii) Scrap the ISA server, I think the front end server should be on the web dmz. Does everyone agree with this? Yes, I know I have to open up all those nasty MS ports but atleast I can restrict it to talking to the DC's and a few other boxes - those would be hardened machines anyways. iii) I think the MS admin should just run a front end server internally and also another front end server on the web dmz. That way, you can harden the web dmz machine properly but don't have to worry about the one that's only for internal use (ok not too much worry). Make sense? Any other general comments are much appreciated and welcome. Keep rockin', Mike Hawkins"Disclaimer: This electronic mail is intended only for the use of the addressee(s)named herein. Unless otherwise specifically stated, the views contained and expressed in this electronic mail are strictly those of the individual sender and are not the views of the Company or any of its Directors or other employees. If you are not the intended recipient of this electronic mail, you are hereby notified that any dissemination, distribution or coping of this electronic mail is strictly prohibited. If you received this electronic mail in error please immediately notify us by return electronic mail and delete this electronic mail from your system." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Exchange 2003 OWA security questions MHawkins (Jan 19)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 19)
- Re: Exchange 2003 OWA security questions Darryl Luff (Jan 21)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 26)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 26)
- Re: Multiple firewalls from different manufactureres Kevin (Jan 27)
- Re: Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 27)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Re: Multiple firewalls from different manufactureres Devdas Bhagat (Jan 27)
- Application-level Attacks Crispin Cowan (Jan 28)