RE: [fw-wiz] Exchange 2003 OWA security questions

• Previous message: Dave Breiland: "Re: [fw-wiz] PIX stateful failover and crossover cables"
• Maybe in reply to: MHawkins_at_TULLIB.COM: "[fw-wiz] Exchange 2003 OWA security questions"
• Next in thread: Darryl Luff: "Re: [fw-wiz] Exchange 2003 OWA security questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <MHawkins@TULLIB.COM>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 19 Jan 2005 10:32:18 -0700

>Our Microsoft admin wants to multihome an ISA server on our web dmz
with the
>other NIC connected to our internal network to allow the ISA to talk to
the
>internal MS OWA front end server which then talks to the exchange
server
>(sheesh!). All this to allow users on the internet to access exchange
via a
>web browser.
>I've read alot of the documentation on the whole Windows2003 Exchange
web
>pages solution and I think Microsoft is trying to bad mouth other
firewalls
>while touting their own proxy/packet firewall as good as or better than
>"the
>rest of the world". Problem is, checkpoint/Nokia is a far better
technical
>solution compared to MS ISA (MS bigots take a deep breath and count to
ten).

A MS consultant wanted to do the same thing here when our mail admins
upgraded the Exchange servers. In his words, "a PIX is _only_ a layer 4
packet filter. Sure it's fast, but it only filters up to layer 4."
Well, that's all it's marketed as, too!! IMO, it's better to have a
fast, secure L4 filter than a slow, unsecured, buggy, bloated L7 filter.

>I asked the MS admin to single home his ISA or forget about ISA
altogether
>and just run a front end server in the web dmz. The idea of breaking
our
>Checkpoint architecture with an ISA that multihomes between the
internal
>network and our web dmz is just too much to ask a decent security admin
>don't you think. Now I need ammunition to press the point home.

After a few heated discussions and my insistence that we wouldn't be
replacing the PIX with ISA, the consultant decided not to install ISA.
My argument was that we only allow 1 point of entry into the
network--our firewall. His rant was that ISA _is_ a firewall.
Whatever.

>i) If any of you run an ISA for tunneling for the front end server I'd
like
>to hear if you were able to do it using single homing (the doco says
it's
>possible but not recommended and our MS admin says he can't get it to
work.

Our guy said that ISA _requires_ 2 interfaces on different networks; it
won't do hairpinning.

>ii) Scrap the ISA server, I think the front end server should be on the
web
>dmz. Does everyone agree with this? Yes, I know I have to open up all
those
>nasty MS ports but atleast I can restrict it to talking to the DC's and
a
>few other boxes - those would be hardened machines anyways.

We opened up smtp, http, pop3, imap, and ms-exchange routing (tcp 691)
from the front-end DMZ box to the internal Exchange boxes, plus some
domain stuff. Not pretty, but much prettier than trusting a MS box with
2 NICs.

>iii) I think the MS admin should just run a front end server internally
and
>also another front end server on the web dmz. That way, you can harden
the
>web dmz machine properly but don't have to worry about the one that's
only
>for internal use (ok not too much worry). Make sense?

Isn't that proper design, anyway? Separate the Internet services from
the intranet services.

I had to fight long and hard to win this battle. Ultimately, I think MS
is pushing their consultants to install ISA wherever they can. In this
case, it only made the design more complex and less secure, yet he still
pushed to install it. He was either trying to rack up the hours or he
drank an extra dose of ISAKoolaid that morning. What we installed works
just fine without ISA cluttering up the picture.

@@ron Smith
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Dave Breiland: "Re: [fw-wiz] PIX stateful failover and crossover cables"
• Maybe in reply to: MHawkins_at_TULLIB.COM: "[fw-wiz] Exchange 2003 OWA security questions"
• Next in thread: Darryl Luff: "Re: [fw-wiz] Exchange 2003 OWA security questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: The Web site cannot be found - errors ... problems connecting with the internet. ... Internet Connection Wizard from the server. ... > files and ISA cache on all ... (microsoft.public.windows.server.sbs) RE: Internet Usage Reports ... There is no other application on the SBS server box that can monitor ... internet activities as your needs rather than ISA server. ... Microsoft Internet Security and Acceleration Server 2004 is the ... Microsoft is providing this information as a convenience to you. ... (microsoft.public.windows.server.sbs) RE: ISA 2004 Rules ... internet website from the ISA server itself. ... All Users or SBS Internet Users ... Then can you access this problematic page from the workstation side this ... (microsoft.public.windows.server.sbs) Re: Connect the SBS to a remote IIS for Internet Printing ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ... (microsoft.public.windows.server.sbs) Re: Internet slow after SBS 2003 SP1 install ... you may found the root cause since DNS server is response to name ... resolution and help find destination site when you access internet. ... Microsoft CSS Online Newsgroup Support ... >> To enable ISA log: ... (microsoft.public.windows.server.sbs)