Firewall Wizards mailing list archives
RE: PIX -> ISA -> OWA Configuration
From: "Thomas W Shinder" <tshinder () tacteam net>
Date: Tue, 3 May 2005 09:14:48 -0500
And how precisely is the PIX going to prevent a directory traversal? Also, with an ISA firewall interprosed, how could a directory traversal attack be possible? Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Jason Gomes Sent: Tuesday, May 03, 2005 12:59 AM To: Paul Melson Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] PIX -> ISA -> OWA Configuration Definitely? Under #1 it seems like something as simple as a directory traversal attack against IIS/OWA that manages to get through ISA leaves your entire internal network exposed. Under #2 it appears to me that an attacker would need at the very least a second exploit to gain further access to the trusted network. Paul Melson wrote:
#1, definitely. The whole reason to use ISA proxy with a
front-end/back-end
OWA setup is to reduce the amount of holes that must be punched in the firewall. Since the OWA server must be a member of the domain, it
requires
an exhaustive list of ports be open between itself and the Exchange
server
as well as at least one domain controller. With the ISA proxy, it's
443 in,
443 out (or 80 out if you don't want/need to encrypt the traffic
between the
ISA and OWA servers). PaulM -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Jason
Gomes
Sent: Sunday, May 01, 2005 2:14 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] PIX -> ISA -> OWA Configuration What is the preferred placement for a OWA front-end server given these
two
possible network configurations and why? 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall]
<==>
[OWA] <==> [Internal Net w/Exchange Svr] 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==>
[PIX
Firewall] <==> [Internal Net w/Exchange Svr] Notes: The ISA server is performing a reverse proxy for HTTPS connections. In #1, the backend firewall will only allow port 443 through to OWA. In #2, all ports required for OWA to communicate with the internal
exchange
server is allowed. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: PIX -> ISA -> OWA Configuration, (continued)
- RE: PIX -> ISA -> OWA Configuration Ben Nagy (May 05)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 05)
- RE: PIX -> ISA -> OWA Configuration Mark Tinberg (May 05)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 02)
- Re: PIX -> ISA -> OWA Configuration Danny (May 05)
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 03)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 03)
- Re: PIX -> ISA -> OWA Configuration Kevin (May 05)
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 05)
- RE: PIX -> ISA -> OWA Configuration Frank Knobbe (May 05)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 03)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 05)
- Re: PIX -> ISA -> OWA Configuration Michael Brown (May 08)
- RE: PIX -> ISA -> OWA Configuration Mark Tinberg (May 08)
- Re: PIX -> ISA -> OWA Configuration Victor Williams (May 08)
- Re: PIX -> ISA -> OWA Configuration Chris Blask (May 12)