Firewall Wizards mailing list archives
Re: PIX -> ISA -> OWA Configuration
From: Jason Gomes <greyline () phreaker net>
Date: Mon, 02 May 2005 19:59:06 -1000
Definitely? Under #1 it seems like something as simple as a directory traversal attack against IIS/OWA that manages to get through ISA leaves your entire internal network exposed. Under #2 it appears to me that an attacker would need at the very least a second exploit to gain further access to the trusted network.
Paul Melson wrote:
#1, definitely. The whole reason to use ISA proxy with a front-end/back-end OWA setup is to reduce the amount of holes that must be punched in the firewall. Since the OWA server must be a member of the domain, it requires an exhaustive list of ports be open between itself and the Exchange server as well as at least one domain controller. With the ISA proxy, it's 443 in, 443 out (or 80 out if you don't want/need to encrypt the traffic between the ISA and OWA servers). PaulM -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Jason Gomes Sent: Sunday, May 01, 2005 2:14 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] PIX -> ISA -> OWA Configuration What is the preferred placement for a OWA front-end server given these two possible network configurations and why? 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall] <==> [OWA] <==> [Internal Net w/Exchange Svr] 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==> [PIX Firewall] <==> [Internal Net w/Exchange Svr] Notes: The ISA server is performing a reverse proxy for HTTPS connections. In #1, the backend firewall will only allow port 443 through to OWA. In #2, all ports required for OWA to communicate with the internal exchange server is allowed. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX -> ISA -> OWA Configuration Jason Gomes (May 02)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 02)
- RE: PIX -> ISA -> OWA Configuration Ben Nagy (May 03)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 05)
- RE: PIX -> ISA -> OWA Configuration Ben Nagy (May 05)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 05)
- RE: PIX -> ISA -> OWA Configuration Ben Nagy (May 03)
- RE: PIX -> ISA -> OWA Configuration Mark Tinberg (May 05)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 02)
- <Possible follow-ups>
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 03)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 03)
- Re: PIX -> ISA -> OWA Configuration Kevin (May 05)
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 05)
- RE: PIX -> ISA -> OWA Configuration Frank Knobbe (May 05)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 03)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 05)