Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
OWA Access
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
OWA Access - 17.Jul.2007 3:31:44 PM
|
|
|
elvecio
Posts: 1
Joined: 16.Feb.2005
From: Brazil
Status: offline
|
Hi people,
I have following doubt about OWA security:
How is the OWA access from Internet? Is it possible to put the Client Access in the DMZ perimeter or the only way is to open same ports from internet - LAN to the Client Access Server?
Thanks a lot.
Elvecio
|
|
|
|
|
RE: OWA Access - 17.Jul.2007 3:49:06 PM
|
|
|
John Weber
Posts: 588
Joined: 20.Apr.2005
From: Portland, Oregon
Status: offline
|
Depending on your security requirements...
MS recommended best practice is to publish OWA via a proxy server (no surprise that they recommend ISA).
I have numerous clients using nothing but 443 through the firewall and SSL on the CAS (FE for e2k3). Works great, less filling.
If you place a CAS role in the DMZ, you are going to have a hole the size of a large truck leading from the DMZ into your AD. Do you really want that risk? Either way, the risk is there, one port or 30 ports.
Ergo, you must choose based on your organizations security policy.
-John
quote:
ORIGINAL: elvecio
Hi people,
I have following doubt about OWA security:
How is the OWA access from Internet? Is it possible to put the Client Access in the DMZ perimeter or the only way is to open same ports from internet - LAN to the Client Access Server?
Thanks a lot.
Elvecio
|
|
|
|
|
RE: OWA Access - 18.Jul.2007 2:06:52 AM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
I would seriously consider having a firewall in the DMZ capable of pre-authenticating users before they are proxied to the CAS. If you don't it means unauthenticated users will be able to establish an SSL session directly to the CAS server on your internal network, which I would consider a major security risk.
_____________________________
HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S
Order my Exchange Server 2007 Book!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
