Announcement

Collapse
No announcement yet.

Exchange 2003 - OWA Setup

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2003 - OWA Setup

    Hi Guys

    Im looking for some clarification or sanity check.

    Ive come across this setup on a new client site, they have an Exchange 2003 Cluster (2 node) on their lan, then they have a OWA Front-end in their DMZ but what i discovered alarmed me. (Do i really see this?)

    The OWA server has two nics one called LAN Nic and one called DMZ nic, non-sercure (HTTP) traffic is permitted from the internet to the DMZ nic to allow a non-secure connection for OWA/OMA (Obviously needs to be reconfigured to HTTPS)

    I am correct in thinking because the two nics reside on the one box, if the dmz nic is compromised then the attacker has full access to the LAN awell as there is no router or software as far as i can see regulating traffic between the two nics on the one server?

    Shouldnt the OWA front end server just have one DMZ nic and any interaction between the lan and dmz be governed by the cisco router and appropriate traffic rules?

    Thanks in advance

  • #2
    Re: Exchange 2003 - OWA Setup

    To be honest, there are no good reasons for putting an Exchange server in a DMZ. Doesn't matter how you configure it, compromise the frontend server and you can walk straight in, one or two NICs, doesn't really matter.

    Two solutions:

    1. Bring the frontend server inside or build a new one fresh inside, then open 443/25 ONLY on the firewall.
    2. Bring the frontend server inside or build a new one fresh inside (notice the pattern here), and publish OWA with a reverse proxy like ISA/TMG.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Exchange 2003 - OWA Setup

      Thanks Simon

      Its Exchange 2003, is it not more secure using a DMZ , port 443 is the only open port being passed to the front end since i fixed the SSL? I closed off port 80. OWA/OMA traffic only passes through port 443.

      At least if the front end somehow gets comprimised its buffered in a DMZ no?

      Is it not best practice to have the back end hosting the Info Stores and the Front end hosting public SMTP and OWA/OMA and both zones firewalled?

      Comment


      • #4
        Re: Exchange 2003 - OWA Setup

        Had a good read of this and I see where your coming from

        http://tigermatt.wordpress.com/2009/...ge-server-dmz/

        Comment


        • #5
          Re: Exchange 2003 - OWA Setup

          So i see if i use a Vamsoft VM or Hosted spam service locked to my IP that hardens port 25 but could you explain a little more about how secure it is opening up port 443 and forwarding it to my exchange FE on my private lan? Sorry if this sounds like a stupid question, just need a sanity check!

          Thanks Simon
          Last edited by Senan; 12th September 2012, 22:19.

          Comment


          • #6
            Re: Exchange 2003 - OWA Setup

            Secure? It is more secure than putting it in a DMZ. Single port only.

            http://blog.sembee.co.uk/post/Why-yo...-in-a-DMZ.aspx

            Explains more.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment

            Working...
            X