Firewall Wizards mailing list archives

RE: Single Exchange/OWA on LAN with Internet Access - a good

From: "Thomas W Shinder" <tshinder () tacteam net>
Date: Thu, 17 Nov 2005 11:30:09 -0600

Hi Stig,

The front-end/back-end Exchange Server topology was *never* about
security, it was about load balancing and routing.

You can put the FE Exchange Server in a authenticated access DMZ, as
I've done many times, but there's no point to putting the FE Exchange
Server in an anonymous access DMZ.

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com 
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
Of Ravdal, Stig
Sent: Thursday, November 17, 2005 9:50 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet 
Access - a good

Hi everyone,

I hope that someone has been through this before and have some 
substantial arguments for/against:

Our MS admins are proposing to implement single OWA/Exchange servers 
on the LAN and allow access directly to the server through 
the firewall.
The primary reason for doing it this way is to reduce the cost of the
front-end server that would otherwise reside in a DMZ.   
Their argument
is that with OWA 2003 you have to have a bunch of ports open anyway 
and so what is the reason to put a front end server in the DMZ - if 
that server were compromised they would practically have 
access to the 
network anyway.  With the OWA/Exchange server inside the firewall 
access from the Internet can be limited to 80 and/or 443 only.

My concern is that with the next OWA vulnerability someone will own 
the server in the DMZ through a single exploit.  However, I cannot 
find anything that suggests that the front end server solution is 
really any more secure.  Yeah it's another hop but it would 
be an easy 
one as soon as the front end server is compromised.

Thoughts?

Thanks,

Stig
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 17)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Paul D. Robertson (Nov 17)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Patrick M. Hausen (Nov 28)
- <Possible follow-ups>
- RE: Single Exchange/OWA on LAN with Internet Access - a good Thomas W Shinder (Nov 17)
  - RE: Single Exchange/OWA on LAN with Internet Access - a good Paul Melson (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Behm, Jeffrey L. (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Kim, Cameron (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Matt Bazan (Nov 21)
  - Re: Single Exchange/OWA on LAN with Internet Access - a good Julian M D (Nov 28)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)
  - Message not available
    - RE: Single Exchange/OWA on LAN with Internet Access - a good Marcus J. Ranum (Nov 28)

(Thread continues...)