RE: NTLM authentication from DMZ

[Steffen Kluge <kluge () fujitsu com au>]

On Mon, 2002-09-23 at 18:20, Reckhard, Tobias wrote:
> Mikael Olsson wrote:
> > My first recommendation would probably be: stick something in front 
> > of the OWA box that does SSL and authentication. If someone gets to
> > the OWA box, it's more or less game over; if nothing else because
> > of all the sensitive stuff that is usually available in people's
> > inboxes, public folders, etc etc.
>
> Heh, that's exactly what I'm about to have to implement here. I'm planning
> to use Apache+mod_proxy+mod_ssl and RSA SecurID in front of an OWA server.
> Does anyone by chance have any pointers to hints on how to set up such a
> baby?

That's what I had planned at first, too, but I seemed to big and complex
for a simple task. I ended up putting the Exchange and OWA boxes on the
internal network, and a simple reverse proxy that can also act as SSL 
wrapper onto the DMZ. Authentication is done by OWA. The firewall allows
only 443/tcp from Internet to reverse proxy, and 80/tcp from reverse 
proxy to OWA. The proxy software I'm using is pound. Still beta and with
some stability issues but very promising.

Cheers
Steffen.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards