Firewall Wizards mailing list archives
RE: Single Exchange/OWA on LAN with Internet Access - a good
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 17 Nov 2005 14:35:01 -0500
-----Original Message-----
Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a
good
Hi Stig, The front-end/back-end Exchange Server topology was *never* about
security, it was about
load balancing and routing. You can put the FE Exchange Server in a authenticated access DMZ, as I've
done many times,
but there's no point to putting the FE Exchange Server in an anonymous
access DMZ.
-----Original Message----- Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a
good
My concern is that with the next OWA vulnerability someone will own the server in the DMZ through a single exploit. However, I cannot find anything that suggests that the front end server solution is really any more secure. Yeah it's another hop but it would be an easy one as soon as the front end server is compromised.
I agree w/ Dr. Tom on this. The kind of stuff you have to open between internal Exchange servers and AD domain controllers and the front-end OWA server makes the DMZ almost pointless. You expose your internal network so much to the OWA front-end that if it's broken into, the other servers will fall quickly thereafter. A better solution, in my opinion (and I must say, I am surprised that Tom doesn't mention this) is to put ISA Server in the DMZ as a reverse proxy. At least this way you can offload SSL and authentication to the ISA Server in the DMZ and only open up 1 or 2 ports from it to the internal network. The other advantage is that you can use ISA Server's web publishing rules to restrict access to the OWA server's IIS instance to only the OWA application, greatly reducing the attack surface of the OWA server. (If you do this, it is worth noting that the default URLScan rules will break OWA 2003.) PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 17)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Paul D. Robertson (Nov 17)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Patrick M. Hausen (Nov 28)
- <Possible follow-ups>
- RE: Single Exchange/OWA on LAN with Internet Access - a good Thomas W Shinder (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Paul Melson (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Behm, Jeffrey L. (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Kim, Cameron (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Matt Bazan (Nov 21)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Julian M D (Nov 28)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)
- Message not available
- RE: Single Exchange/OWA on LAN with Internet Access - a good Marcus J. Ranum (Nov 28)
- Message not available
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)