Security Basics mailing list archives

RE: Exchange Server and External Access

From: <mobile () heintz us>
Date: Mon, 25 Aug 2003 18:09:43 -0400

I'm in the process of instituting the same setup but have had problems. I
originally thought that I could get away with just opening up communications
between the FE (on the DMZ) and the BE (trusted segment) servers. I presumed
that authentication would take place between the BE and the DCs, with the FE
essentially acting as a proxy.

I've found that in order for it to work I have to open up communications
between the FE and my DCs. I've validated through firewall logs that the FE
is definitely trying to communicate (LDAP, MS Authentication, etc) with the
DCs.

If I open up communications between the FE and the DCs everything works
great (having only HTTP open between the FE and the BE) but if I limit comm
to only the http between FE and BE then the FE just hangs when I try to
access OWA.

Any thoughts on what I could be doing wrong here? I've double checked and
the FE is configured as a "front end server".







-----Original Message-----
From: Rick Kingslan [mailto:rkingsla () cox net] 
Sent: Friday, August 22, 2003 8:36 PM
To: 'Cherian M. Palayoor'; security-basics () securityfocus com
Subject: RE: Exchange Server and External Access

Cherian,

Make use of the Front End/Back End capability of Exchange when hooked up
with Outlook Web access.  You would put the OWA box in your DMZ (IIS is
here, treat as untrusted and be sure to implement full lockdown - URLScan
must be modified, but this is well documented) and enable SSL.  Your
external interface would expose 80 and 443, the port requirement from the
OWA server to the Back End Exchange servers would be HTTP - Port 80 only.

All of the authentication/authorization takes place behind the OWA box -
much less exposed to untrusted sources.  Because the only option for
authentication between the FE and the BE is Basic, it is sometimes suggested
(and urged) to SSL the traffic between the FE and the BE.  The BE server
will handle the communication to the DCs and the GC (or GAL, whichever way
you want to look at it).

So, to summarize - External, Port 80 and 443.  OWA(FE) to Exchange Server
(BE) Port 80 or 443 (if security of user name and password is desired
between FE and BE).

All of this assumes that the most critical element, the Exchange server with
the message stores, is on the Internal, or most trusted network.  Hence, no
port concerns would be in play for RPC, GC, LDAP, or any other squishy
Microsoft-type traffic..

-rtk

-----Original Message-----
From: Cherian M. Palayoor [mailto:cpalayoor () cwalkergroup com] 
Sent: Friday, August 22, 2003 12:26 PM
To: security-basics () securityfocus com
Subject: Exchange Server and External Access

Hi,

We presently use the Std edition of Exchange 2000 as a mail server for our
internal users, behind the Firewall.

However we would like to grant mailbox access to external users outside the
Firewall.

What would be the most secure and efficient method of accomplishing this. 

One stream of thought that I have been entertaining is having a separate
Exchange/Mail  Server on the DMZ.

Now this solution would result in having to maintain 2 separate mailboxes
for internal and external users. This creates problems for users who would
access their emails from both inside and outside the office.

How can I workaround this problem.

Thanks in advance for any suggestions.

Regards

CP


 Scanned by Webshield E250



---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Current thread:

Exchange Server and External Access Cherian M. Palayoor (Aug 22)
- Re: Exchange Server and External Access Moti Levy (Aug 22)
- Re: Exchange Server and External Access Moti Levy (Aug 25)
- Re: Exchange Server and External Access Moti Levy (Aug 25)
- RE: Exchange Server and External Access Jimmy Sansi (Aug 25)
- RE: Exchange Server and External Access Rick Kingslan (Aug 25)
  - RE: Exchange Server and External Access mobile (Aug 26)
- RE: Exchange Server and External Access Joey Peloquin (Aug 25)
- Re: Exchange Server and External Access chort (Aug 25)
- <Possible follow-ups>
- RE: Exchange Server and External Access Rubottom, Karl (Aug 22)
- Re: Exchange Server and External Access salgak (Aug 22)
- Re: Exchange Server and External Access Tony (Aug 22)
- FW: Exchange Server and External Access Cherian M. Palayoor (Aug 25)
  - Re: FW: Exchange Server and External Access chort (Aug 26)
- RE: Exchange Server and External Access Depp, Dennis M. (Aug 25)
- RE: Exchange Server and External Access Gregory M. Brown (Aug 25)
- RE: Exchange Server and External Access Nick Duda (Aug 25)

(Thread continues...)