RE: [fw-wiz] Outlook Web Access - Paranoid?

From: Symon Thurlow (sthurlow@webvein.com)
Date: 11/26/02


From: "Symon Thurlow" <sthurlow@webvein.com>
To: "'Firewall-Wizards (E-mail)" <firewall-wizards@honor.icsalabs.com>
Date: Tue Nov 26 16:40:03 2002

Well, you could have a multi tiered approach, IE have 2 DMZ segments
(separate from each other) and have your reverse proxy exposed to the
Internet in one DMZ segment, then get your reverse proxy to talk to an
IIS (or front end EX2K server) in the other DMZ segment, which then
talks to your Exchange server internally (all through your Firewall(s)).

This means that the proxy has only 80 and 443 exposed to the web, your
IIS server only has 80 and 443 exposed to the proxy, and your exchange
server(s)/Domain controller(s) only have their souls exposed to the IIS
server.

It would be reasonably difficult for an intruder to get access to the
IIS server (IMHO).

OWA has excellent functionality, especially in EX2K, unfortunately using
EX2K front end servers requires almost unlimited access to all your key
servers, and that just sucks.

Symon

-----Original Message-----
From: Mark L. Evans [mailto:MEvans@CO.SLC.UT.US]
Sent: 26 November 2002 18:01
To: 'Firewall-Wizards (E-mail)
Subject: [fw-wiz] Outlook Web Access - Paranoid?

I have really enjoyed the excellent information I've gleaned from this
list over the past few months. I'm in need of some help from the list
members on the issue of securing Outlook Web Access.

We're trying to come up with the least dangerous method of allowing our
users to check their email on MS Exchange. We currently allow them to
use POP3 only. Our management would like to use Outlook Web Access. I
have followed the issue on several mailing lists. I know it's a bad idea
to use Exchange at all but management thinks I am too paranoid on this
issue.

It seems the best method is a reverse proxy using squid on a DMZ machine
and then into the IIS server on the inside over SSL. What are your
opinions/suggestions on this issue? Do you have any other methods that
are more secure?

TIA,
Mark L. Evans - CISSP _______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

=============================================

 This email has been content filtered and
 subject to spam filtering. If you consider
 this email is unsolicited please forward
 the email to postmaster@webvein.com and
 request that the sender's domain be
 blocked from sending any further emails.

=============================================