[fw-wiz] Outlook Web Access - Paranoid?

From: Mark L. Evans (MEvans@CO.SLC.UT.US)
Date: 11/26/02

From: "Mark L. Evans" <MEvans@CO.SLC.UT.US>
To: "'Firewall-Wizards (E-mail)" <firewall-wizards@honor.icsalabs.com>
Date: Tue Nov 26 16:14:00 2002

I have really enjoyed the excellent information I've gleaned from this list
over the past few months. I'm in need of some help from the list members on
the issue of securing Outlook Web Access.

We're trying to come up with the least dangerous method of allowing our
users to check their email on MS Exchange. We currently allow them to use
POP3 only. Our management would like to use Outlook Web Access. I have
followed the issue on several mailing lists. I know it's a bad idea to use
Exchange at all but management thinks I am too paranoid on this issue.

It seems the best method is a reverse proxy using squid on a DMZ machine and
then into the IIS server on the inside over SSL. What are your
opinions/suggestions on this issue? Do you have any other methods that are
more secure?

Mark L. Evans - CISSP