RE: [fw-wiz] NTLM authentication from DMZ

From: Steffen Kluge (kluge@fujitsu.com.au)
Date: 09/25/02 

From: Steffen Kluge <kluge@fujitsu.com.au>
To: firewall-wizards@honor.icsalabs.com
Date: Wed Sep 25 08:22:01 2002

On Mon, 2002-09-23 at 18:20, Reckhard, Tobias wrote:
> Mikael Olsson wrote:
> > My first recommendation would probably be: stick something in front
> > of the OWA box that does SSL and authentication. If someone gets to
> > the OWA box, it's more or less game over; if nothing else because
> > of all the sensitive stuff that is usually available in people's
> > inboxes, public folders, etc etc.
>
> Heh, that's exactly what I'm about to have to implement here. I'm planning
> to use Apache+mod_proxy+mod_ssl and RSA SecurID in front of an OWA server.
> Does anyone by chance have any pointers to hints on how to set up such a
> baby?

That's what I had planned at first, too, but I seemed to big and complex
for a simple task. I ended up putting the Exchange and OWA boxes on the
internal network, and a simple reverse proxy that can also act as SSL
wrapper onto the DMZ. Authentication is done by OWA. The firewall allows
only 443/tcp from Internet to reverse proxy, and 80/tcp from reverse
proxy to OWA. The proxy software I'm using is pound. Still beta and with
some stability issues but very promising.

Cheers
Steffen.

Relevant Pages

  • Reverse Proxy
    ... AppFirewall auf den OWA zu. ... Jetzt ist eine Lösung von Secure Computing ... einen Reverse Proxy der die ganzen Requests von aussen verarbeitet. ... Auf Anweisung der Firma die den Secure Computing Kram implementiert hat ...
    (microsoft.public.de.exchange)
  • [fw-wiz] PIX -> ISA -> OWA Configuration
    ... What is the preferred placement for a OWA front-end server given these ... The ISA server is performing a reverse proxy for HTTPS connections. ...
    (Firewall-Wizards)
  • RE: [fw-wiz] NTLM authentication from DMZ
    ... > My first recommendation would probably be: ... > of the OWA box that does SSL and authentication. ...
    (Firewall-Wizards)