Re: FW: Exchange Server and External Access

[chort <chort () amaunetsgothique com>]

On Fri, 2003-08-22 at 16:53, Cherian M. Palayoor wrote:
> Thanks for the suggestions.
>
> Based on the feedback so far, there appears to 2 school of thought....
>
> Solution 1) Have Exchange setup in a FE/BE configuration with the FE in the
> DMZ and the BE in the internal LAN. Have the FE               poll the BE
> through a secure link using SSL.
>
> Problem : Too expensive, requires Exchange Enterprise and not to mention
> Windows Advanced Server.
>           Also it may not resolve the problem as what I am primarily hoping
> to achieve here is faster access time. We                 presently  have
> to traverse through  a WAN cloud and 2 firewalls to get to the Internet and
> the DMZ.
>
> Solution 2) Move the Exchange Server to the DMZ and set it up either as an
> OWA or POP3 Server. 
>
> Problem : This would affect internal user access speed and also the OWA
> option would negatively impact users fed on a diet of Outlook's convenience.
>
> Is it possible to run a third part Server like possibly Sendmail  to front
> end Exchange ?
>
> Regards
>
> CP

Any reverse-proxy solution can do this (for OWA, or POP3/IMAP4).  You
can still keep your Exchange server internal and put the reverse-proxy
in the DMZ.

There was also another excellent suggestion regarding setting up a BSD
box in the DMZ and putting a webmail application on it.  The webmail app
would mirror the messages from Exchange by using an IMAP4 connection
(from the DMZ host to Exchange).  If you're looking for cost-effective,
this would be the cheapest solution.

If there's a lot of latency for DMZ <-> trusted net traffic, there's
really no way around that other than pre-fetching messages to a DMZ host
and periodically updating them.  The external user would have very fast
access to the messages on the DMZ host, but would not be completely
in-sync with what's in their Exchange mailbox (also you couldn't delete
things out of your Exchange mailbox from the outside, since it's only a
copy).

Rather than trying to architect around network problems, perhaps you
could discover where the latency is so high?  It could very well be a
network misconfiguration, or a severely overloaded piece of hardware.

By the way, why is VPN not an option?

-- 
Brian Keefer


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------