Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Secure OWA - some questions
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Secure OWA - some questions - 14.May2008 11:30:31 AM
|
|
|
dmacx
Posts: 13
Joined: 9.May2008
Status: offline
|
Sorry (nice job for a first post...) I saw the "security" heading, posted my question here, and NOW see that this is for Exchange 2003. I'm aiming to implement 2007.
I'm starting to learn Exchange (2007 SP1) and have some security questions:
Question 1
I'm planning on having mail received via SMTP filtered by a third-party with it's 5 different AV scanning engines and antispam.
This filtered mail will then be forwarded to an external port on our firewall which, in turn, will forward it to the Exchange server.
In our scenario, due to budget constraints, we are hoping to avoid the cost of an additional "front-end" server outside the firewall.
I'm not too concerned about SMTP traffic, since I would filter IP addresses, accepting only packets from the pre-filtering company's IP range.
But what about OWA?
It looks like I would have to open another port on the firewall (443 and maybe 80) to allow traffic from anywhere to our Exchange server, since we can't determine beforehand from what location and thus with what IP our users will attempt to access their email with OWA.
How bad is it NOT to have an Edge Server or perhaps ISA "publish" (I believe that's the term) OWA outside the firewall and then apparently relay the connections to the Exchange server behind the firewall?
Besides possibly scanning mail for viruses BEFORE they reach the internal Exchange server, what advantage would that have as far as security goes?
Question 2
Ideally, OWA connections would be secured with mutual authentication by SSL certificates. In other words, clients couldn't connect to the server unless authenticated. But that's not feasible. Would users carry their certificate around with them on a flash drive?
So it looks like I'll have to settle for server authentication only. That too, would require certificate distribution for things to function optimally (not being constantly prompted to decide if you want to accept the server certificate that the client does not trust).
Client side, that means users will access their mailbox by password.
How can I prevent password attacks against the mail server? Does the normal domain pwd policy still govern this?
What if an attacker determined the password of a (non-administrative) user? They would have access to that user's email, which would be bad enough, but would that compromise the Exchange server as a whole? I'm assuming "fully-patched Exchange server", otherwise I suppose all bets would be off.
< Message edited by dmacx -- 14.May2008 11:34:06 AM >
|
|
|
|
|
RE: Secure OWA - some questions - 14.May2008 11:50:08 AM
|
|
|
mark@mvps.org
Posts: 6811
Joined: 9.Jun.2004
From: Philadelphia PA
Status: offline
|
1. With Exchange 2007 you can't have an "FE" (It's actually called a CAS now) outside the internal network. If you want something like that you need to implement a reverse caching proxy such as ISA 2006.
2. An EDGE has got NOTHING!!! whatsoever to do with client access. You publish 443 ONLY to your CAS. If you use ISA then you publish 443 to that and then follow the guides at www.isaserver.org to present OWA. Solid and secure.
3. An administrative user does not, by default, have access to anyone's email other than his own. If you choose to break that model by granting a user account too many access rights or grant the BlackBerry Server account (whatever, it doesn't matter the sepecifics) then you restrict where that account can log on from (i.e. the BES server and nowhere else etc.)
Implementing FBA on the CAS or on the ISA, or SecureID (tokens/sw/whatever) on an ISA you meet all the security you need. If you want people to cart certs around with them you can do that. Again, ISA is the best solution for this.
All this sounds like you have some pretty fundamental access questions and I'd encourage you to gain some input from a paid consultant because, although you're only asking Exchange questions right now, someone is going to want access to applications X, Y and Z at some time and you don't want to have to re-invent the wheel each time.
_____________________________
Mark Arnold (Exchange MVP)
List Moderator
|
|
|
|
|
RE: Secure OWA - some questions - 14.May2008 1:50:55 PM
|
|
|
dmacx
Posts: 13
Joined: 9.May2008
Status: offline
|
quote:
although you're only asking Exchange questions right now, someone is going to want access to applications X, Y and Z at some time and you don't want to have to re-invent the wheel each time.
Until now, very few of our users require outside access, which is offered through a VPN. VPN might be a solution for Exchange (connect to LAN first) but running around with certs would still be a problem. Pre-shared key would be worse.
I'll take a look at the ISA link but, in a word or two, I'm curious to know by what mechanism it secures access to the Exchange server?
For example, what does it offer me as far as authentication goes? Against what would it authenticate (if not cerificates? - same old problem).
Otherwise, as far as passwords go, does Exchange, being integrated with Active Directory, govern access by password using the lockout policy established for the domain as a whole, or is some other mechanism playing a role here?
I'd just as well not have to deal with the Edge Server and ADAM or AD LDS as it's now called in W2K8 I believe.
Not needing a second server outside the firewall would be great, I just don't want to sacrifice too much security in my effort to simplify things.
Maybe this would be a way to ask the question:
On a scale of 1 to 10, how secure would an Exchange server, placed behind a firewall, regularly patched and firewalled itself (W2K8), and only accessible via ports 25, 80 and 443... be? Also traffic on port 25 only arriving from the IPs of the pre-filtering company.
On a scale of 1 to 10, how secure would it be with ISA regulating OWA access in addition to the above?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
