Firewall Wizards mailing list archives
RE: Outlook Web Access - Paranoid?
From: "Steve Evans" <sevans () foundation sdsu edu>
Date: Wed, 27 Nov 2002 21:32:47 -0800
Since I'm an Exchange 2000 systems administrator I thought I'd clear up some of the technical requirements of OWA. I've heard quite a few things that are impossible/wrong. I'm not going to argue about whether or not Exchange is a worthy product. Just going to present the facts of what is required. An OWA server needs access to the GC's and the backend servers. GC's (domain controllers) 389 TCP/UDP (LDAP to Directory Server) 3268 TCP (LDAP to Global Catalog) 88 TCP/UDP (Kerberos) 135 TCP (RPC) 1024 and greater/TCP (more RPC) And only 80 to the Back-End Server SQL server is not required (they are talking about using the SQL server engine for the database in future versions) and you the OWA server has to be an Exchange server. Not just a box running IIS. And it has to be part of the domain. One opinion I will express is that if you're going to use OWA (which I have no opinion on) putting it in the DMZ is useless. The reason you put things in the DMZ is so if they are compromised they still have a firewall to go through to get to the good stuff. Let me tell you, the ports you have to open are the good stuff. And one more opinion. Exchange security isn't as bad as everyone is making it out to be. Is it good, no, it's a Microsoft product. But Exchange 2000 is really one of Microsofts more secure products. Proper planning can mitigate most of the risk. Really it's a decision for the suits to make, not us. If the security is good enough though, is a question that only you can answer. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Paul D. Robertson [mailto:proberts () patriot net] Sent: Tuesday, November 26, 2002 4:43 PM To: Mark L. Evans Cc: 'Firewall-Wizards (E-mail) Subject: Re: [fw-wiz] Outlook Web Access - Paranoid? On Tue, 26 Nov 2002, Paul Robertson wrote:
Let's not forget that you're now putting this server in the critical update path for every IIS, SQL and Exchange patch- can your mail users
Both Wes Noonan and Frank Knobbe have pointed out to me that I'm hallucinating about SQL server being burried in Exchange. I still stand by the rest of the rant... Paul ------------------------------------------------------------------------ ----- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Outlook Web Access - Paranoid? Mark L. Evans (Nov 26)
- Re: Outlook Web Access - Paranoid? Paul Robertson (Nov 26)
- Re: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 26)
- <Possible follow-ups>
- RE: Outlook Web Access - Paranoid? Symon Thurlow (Nov 26)
- RE: Outlook Web Access - Paranoid? Steve Evans (Nov 28)
- RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
- RE: Outlook Web Access - Paranoid? Frank Knobbe (Nov 28)
- RE: Outlook Web Access - Paranoid? Christopher Lee (Nov 28)
- Re: Outlook Web Access - Paranoid? Mikael Olsson (Nov 28)
- RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
- RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
- Re: Outlook Web Access - Paranoid? Paul Robertson (Nov 26)