Re: Exchange Server and External Access

[chort <chort () amaunetsgothique com>]

On Fri, 2003-08-22 at 10:25, Cherian M. Palayoor wrote:
> Hi,
>
> We presently use the Std edition of Exchange 2000 as a mail server for our
> internal users, behind the Firewall.
>
> However we would like to grant mailbox access to external users outside the
> Firewall.
>
> What would be the most secure and efficient method of accomplishing this. 
>
> One stream of thought that I have been entertaining is having a separate
> Exchange/Mail  Server on the DMZ.
>
> Now this solution would result in having to maintain 2 separate mailboxes for
> internal and external users. This creates problems for users who would access
> their emails from both inside and outside the office.
>
> How can I workaround this problem.
>
> Thanks in advance for any suggestions.
>
> Regards
>
> CP

The most straightforward and least complex solutions would be for remote
users to VPN in and connect to Exchange natively (MAPI) across the VPN
(to the internal IP).

Another solution would be to setup OWA and let remote users only access
OWA.  Unfortunately, OWA is fairly riddled with security weaknesses, and
it's dependent on IIS.  I would not implement it without a reverse-proxy
in front doing at the very least, buffer length checking, IDS signature
detection, limiting directory recursion, real secure log-off (try
logging out of OWA, then click stop, back, and presto you're in), etc
and preferably SSL/TLS encryption too.

The company I work for, CipherTrust has such a solution in the
IronWebMail product.  In the interest of fairness I will also mention
that Whale have a similar product, and I believe Borderware also has
this functionality.  I'm sure there are several other vendors capable of
reverse proxying HTTP(S).

Last, you could also use POP3 or IMAP4 with Exchange.  This won't allow
access to the calendar, etc but you can get mail.  Again, this shouldn't
go straight into Exchange from the outside.  You should have a
reverse-proxy for those services in the DMZ.  It should enforce password
strength checking, check for brute force password guessing, denial of
service attacks, etc.

CipherTrust provide a product (IronMail) that does this.  At the risk of
sounding shamelessly self-promoting, I'm not aware of any other products
which reverse-proxy POP3 or IMAP4.  I'm sure this is not unique, so
there must be some vendor out there who does it.  Check with your
firewall vendor to see if it's already supported in your current
firewall.

In any case, take some time and continue doing research (as you are
now).  Make sure whatever solution you come up with will fill both your
functional and security requirements.  Evaluate at least two products or
solutions so you have some basis of comparison.

-- 
Brian Keefer


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------