RE: Outlook Web Access - Paranoid?

["Matt Wilbur" <matt () efs org>]

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Mark L. Evans
> Sent: Tuesday, November 26, 2002 10:01 AM
> To: 'Firewall-Wizards (E-mail)
> Subject: [fw-wiz] Outlook Web Access - Paranoid?
[snip]
> We're trying to come up with the least dangerous method of 
> allowing our
> users to check their email on MS Exchange. We currently allow 
> them to use
> POP3 only. Our management would like to use Outlook Web Access. I have
> followed the issue on several mailing lists. I know it's a 
> bad idea to use
> Exchange at all but management thinks I am too paranoid on 
> this issue.  
>
> It seems the best method is a reverse proxy using squid on a 
> DMZ machine and
> then into the IIS server on the inside over SSL. What are your
> opinions/suggestions on this issue? Do you have any other 
> methods that are
> more secure?

Mark,

If you just need to give end users access to email and email directory
services from the outside, why not use one of the many "webmail"
applications out there, all of which need far less access to your
internal networks.  You could plunk, for example, squirrelmail out on a
DMZ system, allow port 143 (IMAP) and port 389 (LDAP) to an exchange
server (proxy them if that's appropriate - oh, and enable them in the
exchange server), and you'd be in business.  End-users would lose a
little bit of added "features" OWA would give them, but you'd mitigate
so many other issues it would most likely be worth it, even to the
"suits".  

Regards,
Matt Wilbur

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards