Security Basics mailing list archives
RE: Exchange Server and External Access
From: "Nick Duda" <nduda () VistaPrint com>
Date: Mon, 25 Aug 2003 12:28:23 -0400
You don't need windows advanced server for FE/BE setup. Only if you want to cluster the exchange servers. I wouldn't recommend putting FE in DMZ, because you need to punch holes into your firewall aside of 80/443. Its very simple. If you cant get approval for enterprise edition exchange then you can install another exchange standard server. Do not allow any mailboxes on the database or pub folders. Generate SSL certs for the owa server and the normal server. The only problem is they may get prompted for 2 authentications because of the SSL certs and the move between physical servers. Lock down the owa server (i.e. smtp, iiscan, gpo's, ...etc) my .02 - Nick -----Original Message----- From: Cherian M. Palayoor [mailto:cpalayoor () cwalkergroup com] Sent: Friday, August 22, 2003 7:53 PM To: security-basics () securityfocus com Subject: FW: Exchange Server and External Access Thanks for the suggestions. Based on the feedback so far, there appears to 2 school of thought.... Solution 1) Have Exchange setup in a FE/BE configuration with the FE in the DMZ and the BE in the internal LAN. Have the FE poll the BE through a secure link using SSL. Problem : Too expensive, requires Exchange Enterprise and not to mention Windows Advanced Server. Also it may not resolve the problem as what I am primarily hoping to achieve here is faster access time. We presently have to traverse through a WAN cloud and 2 firewalls to get to the Internet and the DMZ. Solution 2) Move the Exchange Server to the DMZ and set it up either as an OWA or POP3 Server. Problem : This would affect internal user access speed and also the OWA option would negatively impact users fed on a diet of Outlook's convenience. Is it possible to run a third part Server like possibly Sendmail to front end Exchange ? Regards CP -----Original Message----- From: Jeff Huston [mailto:JeffH () gatesfoundation org] Sent: Friday, August 22, 2003 1:24 PM To: Cherian M. Palayoor Subject: RE: Exchange Server and External Access Use Exchange's front-end / back-end technology. Set up the front-end server in the DMZ (remember to only allow SSL access!), then use IPSec to connect it to the back-end server (presumably in your production network). Users can then access their mailbox data through Outlook Web Access. You can also do this for POP3 / IMAP4 access, but these can be somewhat less secure (unless you activate SSL for each of these as well). -- Jeff -----Original Message----- From: Cherian M. Palayoor [mailto:cpalayoor () cwalkergroup com] Sent: Friday, August 22, 2003 10:26 AM To: security-basics () securityfocus com Subject: Exchange Server and External Access Hi, We presently use the Std edition of Exchange 2000 as a mail server for our internal users, behind the Firewall. However we would like to grant mailbox access to external users outside the Firewall. What would be the most secure and efficient method of accomplishing this. One stream of thought that I have been entertaining is having a separate Exchange/Mail Server on the DMZ. Now this solution would result in having to maintain 2 separate mailboxes for internal and external users. This creates problems for users who would access their emails from both inside and outside the office. How can I workaround this problem. Thanks in advance for any suggestions. Regards CP Scanned by Webshield E250 ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- Scanned by Webshield E250 Scanned by Webshield E250 --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- RE: Exchange Server and External Access, (continued)
- RE: Exchange Server and External Access Rubottom, Karl (Aug 22)
- Re: Exchange Server and External Access salgak (Aug 22)
- Re: Exchange Server and External Access Tony (Aug 22)
- FW: Exchange Server and External Access Cherian M. Palayoor (Aug 25)
- Re: FW: Exchange Server and External Access chort (Aug 26)
- RE: Exchange Server and External Access Depp, Dennis M. (Aug 25)
- RE: Exchange Server and External Access Gregory M. Brown (Aug 25)
- RE: Exchange Server and External Access Nick Duda (Aug 25)
- RE: Exchange Server and External Access Nick Duda (Aug 25)
- RE: Exchange Server and External Access McGill, Lachlan (Aug 25)
- RE: Exchange Server and External Access Nick Duda (Aug 26)
- Re: Exchange Server and External Access salgak (Aug 26)
- RE: FW: Exchange Server and External Access Cherian M. Palayoor (Aug 26)
- Re: FW: Exchange Server and External Access Gabriel Orozco (Aug 26)
- RE: Exchange Server and External Access Hay, Duane (Aug 26)
- RE: Exchange Server and External Access Aditya [Aditya Lalit Desgmukh] (Aug 27)
- Re: Exchange Server and External Access Valery Baranov (Aug 26)
- RE: Exchange Server and External Access Nero, Nick (Aug 26)
- RE: FW: Exchange Server and External Access Cherian M. Palayoor (Aug 26)
- Re: FW: Exchange Server and External Access Gabriel Orozco (Aug 27)
- RE: FW: Exchange Server and External Access Cherian M. Palayoor (Aug 27)
(Thread continues...)