Security Basics mailing list archives
RE: Exchange Server and External Access
From: <mobile () heintz us>
Date: Mon, 25 Aug 2003 18:09:43 -0400
I'm in the process of instituting the same setup but have had problems. I originally thought that I could get away with just opening up communications between the FE (on the DMZ) and the BE (trusted segment) servers. I presumed that authentication would take place between the BE and the DCs, with the FE essentially acting as a proxy. I've found that in order for it to work I have to open up communications between the FE and my DCs. I've validated through firewall logs that the FE is definitely trying to communicate (LDAP, MS Authentication, etc) with the DCs. If I open up communications between the FE and the DCs everything works great (having only HTTP open between the FE and the BE) but if I limit comm to only the http between FE and BE then the FE just hangs when I try to access OWA. Any thoughts on what I could be doing wrong here? I've double checked and the FE is configured as a "front end server". -----Original Message----- From: Rick Kingslan [mailto:rkingsla () cox net] Sent: Friday, August 22, 2003 8:36 PM To: 'Cherian M. Palayoor'; security-basics () securityfocus com Subject: RE: Exchange Server and External Access Cherian, Make use of the Front End/Back End capability of Exchange when hooked up with Outlook Web access. You would put the OWA box in your DMZ (IIS is here, treat as untrusted and be sure to implement full lockdown - URLScan must be modified, but this is well documented) and enable SSL. Your external interface would expose 80 and 443, the port requirement from the OWA server to the Back End Exchange servers would be HTTP - Port 80 only. All of the authentication/authorization takes place behind the OWA box - much less exposed to untrusted sources. Because the only option for authentication between the FE and the BE is Basic, it is sometimes suggested (and urged) to SSL the traffic between the FE and the BE. The BE server will handle the communication to the DCs and the GC (or GAL, whichever way you want to look at it). So, to summarize - External, Port 80 and 443. OWA(FE) to Exchange Server (BE) Port 80 or 443 (if security of user name and password is desired between FE and BE). All of this assumes that the most critical element, the Exchange server with the message stores, is on the Internal, or most trusted network. Hence, no port concerns would be in play for RPC, GC, LDAP, or any other squishy Microsoft-type traffic.. -rtk -----Original Message----- From: Cherian M. Palayoor [mailto:cpalayoor () cwalkergroup com] Sent: Friday, August 22, 2003 12:26 PM To: security-basics () securityfocus com Subject: Exchange Server and External Access Hi, We presently use the Std edition of Exchange 2000 as a mail server for our internal users, behind the Firewall. However we would like to grant mailbox access to external users outside the Firewall. What would be the most secure and efficient method of accomplishing this. One stream of thought that I have been entertaining is having a separate Exchange/Mail Server on the DMZ. Now this solution would result in having to maintain 2 separate mailboxes for internal and external users. This creates problems for users who would access their emails from both inside and outside the office. How can I workaround this problem. Thanks in advance for any suggestions. Regards CP Scanned by Webshield E250 --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- Exchange Server and External Access Cherian M. Palayoor (Aug 22)
- Re: Exchange Server and External Access Moti Levy (Aug 22)
- Re: Exchange Server and External Access Moti Levy (Aug 25)
- Re: Exchange Server and External Access Moti Levy (Aug 25)
- RE: Exchange Server and External Access Jimmy Sansi (Aug 25)
- RE: Exchange Server and External Access Rick Kingslan (Aug 25)
- RE: Exchange Server and External Access mobile (Aug 26)
- RE: Exchange Server and External Access Joey Peloquin (Aug 25)
- Re: Exchange Server and External Access chort (Aug 25)
- <Possible follow-ups>
- RE: Exchange Server and External Access Rubottom, Karl (Aug 22)
- Re: Exchange Server and External Access salgak (Aug 22)
- Re: Exchange Server and External Access Tony (Aug 22)
- FW: Exchange Server and External Access Cherian M. Palayoor (Aug 25)
- Re: FW: Exchange Server and External Access chort (Aug 26)
- RE: Exchange Server and External Access Depp, Dennis M. (Aug 25)
- RE: Exchange Server and External Access Gregory M. Brown (Aug 25)
- RE: Exchange Server and External Access Nick Duda (Aug 25)
(Thread continues...)