Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Single Server EAS/OWA and security

  • Filter
  • Time
  • Show
Clear All
new posts

  • Single Server EAS/OWA and security

    We are a 50 employee company. We would like to roll out Exchange Activesync for our mobile phone users. My concern is that without a FE/BE setup of exchange that we are exposing ourselves to a good risk by running IIS on the same box as Exchange. Maybe I'm still gunshy from the CodeRed/Nimda days. Also from what I understand is that I cannot selectively take out OWA and just have Exchange Activesync, I have to open and expose it all. Correct?

    Currently I have configured OWA with a 3rd party cert. I opened port 443 to test that OWA answered securely and then shut the port back up. I have a Sonicwall 2040pro with the Intrusion Prevention Service addon which does have some IIS signatures that it will scan and block (they look like mostly IIS5 exploits).

    I have seen some people simply just poke a hole open to their SSL port on their exchange box and call it good. Is this a commonly accepted security practice? Can I offer EAS without opening OWA to the internet? I have heard that with all the ports open that the FE box needs to talk to the BE box that it isn't really worth it for our size and load.

    Thanks guys in advance. Just looking to sort of bounce these ideas off from my head.

  • #2
    Re: Single Server EAS/OWA and security

    Frontend servers have nothing to do with the security of Exchange.
    Whether you are using a frontend or not, the security risks are the same.
    You are confusing a frontend server with an ISA server. ISA is designed to secure a deployment of OWA, EAS, OMA and RPC over HTTPS (along with other non-Exchange things).

    Personally, I am quite happy to open port 443 and 25 to the internet on Exchange servers. The combo of IIS6 and Exchange 2003 has not been compromised yet - all attacks have been down to poor password policy or another third party tool on the server.
    Use a commercial certificate, ensure that the users have to select a secure password. Secure the server in the usual manner - Microsoft have documentation on how to secure an Exchange server for internet use.

    If you have a product that can do scanning, then that is good, but do ensure that it is up to date and can cope with Exchange. Exchange does some special stuff with IIS, particularly with EAS and RPC over HTTPS which can confuse products expecting pure http/https traffic.

    Simon Butler
    Exchange MVP

    More Exchange Content:
    Exchange Resources List:
    In the UK? Hire me:

    Sembee is a registered trademark, used here with permission.


    • #3
      Re: Single Server EAS/OWA and security

      Thanks Sembee your response is greatly appreciated as I hold your opinion on matters of exchange in high regards.