RE: [fw-wiz] Outlook Web Access - Paranoid?

From: Symon Thurlow (
Date: 11/26/02

From: "Symon Thurlow" <>
To: "'Firewall-Wizards (E-mail)" <>
Date: Tue Nov 26 16:40:03 2002

Well, you could have a multi tiered approach, IE have 2 DMZ segments
(separate from each other) and have your reverse proxy exposed to the
Internet in one DMZ segment, then get your reverse proxy to talk to an
IIS (or front end EX2K server) in the other DMZ segment, which then
talks to your Exchange server internally (all through your Firewall(s)).

This means that the proxy has only 80 and 443 exposed to the web, your
IIS server only has 80 and 443 exposed to the proxy, and your exchange
server(s)/Domain controller(s) only have their souls exposed to the IIS

It would be reasonably difficult for an intruder to get access to the
IIS server (IMHO).

OWA has excellent functionality, especially in EX2K, unfortunately using
EX2K front end servers requires almost unlimited access to all your key
servers, and that just sucks.


-----Original Message-----
From: Mark L. Evans [mailto:MEvans@CO.SLC.UT.US]
Sent: 26 November 2002 18:01
To: 'Firewall-Wizards (E-mail)
Subject: [fw-wiz] Outlook Web Access - Paranoid?

I have really enjoyed the excellent information I've gleaned from this
list over the past few months. I'm in need of some help from the list
members on the issue of securing Outlook Web Access.

We're trying to come up with the least dangerous method of allowing our
users to check their email on MS Exchange. We currently allow them to
use POP3 only. Our management would like to use Outlook Web Access. I
have followed the issue on several mailing lists. I know it's a bad idea
to use Exchange at all but management thinks I am too paranoid on this

It seems the best method is a reverse proxy using squid on a DMZ machine
and then into the IIS server on the inside over SSL. What are your
opinions/suggestions on this issue? Do you have any other methods that
are more secure?

Mark L. Evans - CISSP _______________________________________________
firewall-wizards mailing list


 This email has been content filtered and
 subject to spam filtering. If you consider
 this email is unsolicited please forward
 the email to and
 request that the sender's domain be
 blocked from sending any further emails.


Relevant Pages

  • RE: SSL Reverse Proxy
    ... I think Zeus Web Server, acting as reverse proxy, does it: ... Subject: SSL Reverse Proxy ... We already know the security implications of this approach. ...
  • Re: [fw-wiz] Allowing Internet Access to MS Project Server
    ... using Apache's reverse proxy would be easiest and very secure. ... Also part of the requirement is to avoid "ipsec vpn" like solutions. ... We have looked at this prior, but used Citrix AAC with Citrix presentation servers for another 3rd party gateway. ... --squid https web proxy server, ...
  • RE: A Good Reverse Proxy Product
    ... a simple HTTP reverse proxy offers very little protection against ... a simple reverse proxy protects your web server (the OWA ... against attacks targeting HTTP or the web application itself. ...
  • Re: IIS 6 Questions
    ... Either you need a reverse proxy, for example OctaGate, Apache (apache can ... want the webserver part of it), ... Kristofer Gafvert - IIS MVP ...
  • Server Remote Access FUBAR
    ... So I've got Server 8 running on OSX, and have been trying to make Server ... I can do Admin functions from that DMZ segment. ... My guru was astonished that Filemaker would ever do something this ...