NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Outlook Web Access - Best pracice with FW-1



What rules are neccessary to ensure that the OWA server can securely access
the Exchange server? Just the open ports pre-defined in the ExchSv registry?

Thanks for all the input.

- CQ

-----Original Message-----
From: Perbix Michael [mailto:[email protected]]
Sent: Thursday, January 18, 2001 12:41 PM
To: '[email protected]'
Subject: RE: [FW1] Outlook Web Access - Best pracice with FW-1


We have OWA running on our internet relay box which is in the DMZ.  I would
have to check which ports I have open to that box, definitely port 80.  It
works great for us.  All the exchange servers are behind the firewall and
users access them directly via Outlook from inside the net.  They also can
use POP or IMAP via static nats as well.  But that is very underutilized and
only was an option because of our previous mail situation and the need for
some "cross over" training and time.  We only have 2 servers in the DMZ, a
public web server and the internet (OWA) mail relay box.

    -Mike

> ----------
> From: 	[email protected]
> Sent: 	Thursday, January 18, 2001 10:30 AM
> To: 	[email protected]
> Subject: 	RE: [FW1] Outlook Web Access - Best pracice with FW-1
> 
> 
> I'm currently debating the same setup.
> 
> What I've noted so far is that:
> 
> - The OWA server is in the DMZ, while the Exchange server should stay on
> the
> LAN.
> - There's a registry edit in Exchsv 5.5 that lets you specify the range of
> random ports that it will connect to the OWA server with (or moreover,
> allow
> incoming SMTP). 
> - Open those ports up between the OWA DMZ and the LAN, and only allow
> traffic from a static-NATted address given to the OWA server to the
> address
> of the Exchange server on the lan. I use 172.16.x.x here, so the address
> would be the "real" address of my OWA server -> the NAT address of the OWA
> server -> the 172.16.x.x address of the exchange server.
> 
> If OWA is on a networked subnet, wouldn't it have to sit on the LAN? In
> which case you'd be allowing port 80 directly in, right?
> 
> My .2c...
> 
> - C
> 
> 
> -----Original Message-----
> From: Adams, Gavin [mailto:[email protected]]
> Sent: Thursday, January 18, 2001 9:54 AM
> To: Adrian Wilson; [email protected]
> Subject: RE: [FW1] Outlook Web Access - Best pracice with FW-1
> 
> 
> 
> Some thoughts:
> 
> 1) Stick the OWA server onto a screened subnet
> 2) If running Exchange 2000, be prepared to open up Active Directory
> domain authentication between the OWA box (front-end) and the Exchange
> Server (back-end). As I understand it, Exchange 5.5 allows for a little
> better segregation between the front/back-end.
> 3) SSL the OWA box
> 4) If possible, drop a host-based IDS on the OWA box to check the IIS
> logs, system files etc. Network IDS for the screened subnet is even
> better.
> 
> These are just a few best practices specific to OWA.
> 
> HTH,
> 
> --- Gavin
> 
>  -----Original Message-----
> From: 	Adrian Wilson [mailto:[email protected]] 
> Sent:	Thursday, January 18, 2001 07:23
> To:	[email protected]
> Subject:	[FW1] Outlook Web Access - Best pracice with FW-1
> 
> 
> I am intending to implement Outlook Web Access through to the Internet.
> I am
> concerned that the implementation should be as secure as possible and
> would
> like to gather information regarding best practice. Any help would be
> much
> appreciated.
> 
> Adrian J G Wilson
> VEGA Group PLC
> 
> 
> ========================================================================
> ========
>      To unsubscribe from this mailing list, please see the instructions
> at
>                http://www.checkpoint.com/services/mailing.html
> ========================================================================
> ========
> 
> 
> 
> 
> ==========================================================================
> ==
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ==
> ====
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
> 
> 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.