RE: [fw-wiz] Outlook Web Access - Paranoid?
From: Steve Evans (sevans@foundation.sdsu.edu)
Date: 11/28/02
- Next message: Paul D. Robertson: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- Previous message: Jonn Martell: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Maybe in reply to: Mark L. Evans: "[fw-wiz] Outlook Web Access - Paranoid?"
- Next in thread: Paul D. Robertson: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- Reply: Paul D. Robertson: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- Reply: Christopher Lee: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steve Evans" <sevans@foundation.sdsu.edu> To: "Paul D. Robertson" <proberts@patriot.net>, <firewall-wizards@honor.icsalabs.com> Date: Thu Nov 28 08:14:01 2002
Since I'm an Exchange 2000 systems administrator I thought I'd clear up
some of the technical requirements of OWA. I've heard quite a few
things that are impossible/wrong. I'm not going to argue about whether
or not Exchange is a worthy product. Just going to present the facts of
what is required.
An OWA server needs access to the GC's and the backend servers.
GC's (domain controllers)
389 TCP/UDP (LDAP to Directory Server)
3268 TCP (LDAP to Global Catalog)
88 TCP/UDP (Kerberos)
135 TCP (RPC)
1024 and greater/TCP (more RPC)
And only 80 to the Back-End Server
SQL server is not required (they are talking about using the SQL server
engine for the database in future versions) and you the OWA server has
to be an Exchange server. Not just a box running IIS. And it has to be
part of the domain.
One opinion I will express is that if you're going to use OWA (which I
have no opinion on) putting it in the DMZ is useless. The reason you
put things in the DMZ is so if they are compromised they still have a
firewall to go through to get to the good stuff. Let me tell you, the
ports you have to open are the good stuff.
And one more opinion. Exchange security isn't as bad as everyone is
making it out to be. Is it good, no, it's a Microsoft product. But
Exchange 2000 is really one of Microsofts more secure products. Proper
planning can mitigate most of the risk. Really it's a decision for the
suits to make, not us. If the security is good enough though, is a
question that only you can answer.
Steve Evans
SDSU Foundation
(619) 594-0653
-----Original Message-----
From: Paul D. Robertson [mailto:proberts@patriot.net]
Sent: Tuesday, November 26, 2002 4:43 PM
To: Mark L. Evans
Cc: 'Firewall-Wizards (E-mail)
Subject: Re: [fw-wiz] Outlook Web Access - Paranoid?
On Tue, 26 Nov 2002, Paul Robertson wrote:
> Let's not forget that you're now putting this server in the critical
> update path for every IIS, SQL and Exchange patch- can your mail users
Both Wes Noonan and Frank Knobbe have pointed out to me that I'm
hallucinating about SQL server being burried in Exchange. I still stand
by the rest of the rant...
Paul
------------------------------------------------------------------------
-----
Paul D. Robertson "My statements in this message are personal
opinions
proberts@patriot.net which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Paul D. Robertson: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- Previous message: Jonn Martell: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Maybe in reply to: Mark L. Evans: "[fw-wiz] Outlook Web Access - Paranoid?"
- Next in thread: Paul D. Robertson: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- Reply: Paul D. Robertson: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- Reply: Christopher Lee: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
