Re: [fw-wiz] Exchange 2003 OWA security questions

From: Darryl Luff (
Date: 01/19/05

  • Next message: dave: "Re: [fw-wiz] PIX stateful failover and crossover cables"
    To: MHawkins@TULLIB.COM
    Date: Wed, 19 Jan 2005 22:50:34 +1100

    MHawkins@TULLIB.COM wrote:

    >Hi guys and gals,
    >We use CheckPoint/Nokia with multiple DMZ's including a web server farm DMZ.
    >Our Microsoft admin wants to multihome an ISA server on our web dmz with the
    >other NIC connected to our internal network to allow the ISA to talk to the
    >internal MS OWA front end server which then talks to the exchange server
    >(sheesh!). All this to allow users on the internet to access exchange via a
    >web browser.
    This sort of stuff is easier to fight if you have a strong, documented
    architecture and security policy etc etc. You can point to your own
    companies rules then. But it's obvious that more parallel paths into an
    organisation = more possible ways of entry. By adding another path
    you've doubled the chance that someone could get in one way or the other.

    >I asked the MS admin to single home his ISA or forget about ISA altogether
    >and just run a front end server in the web dmz. The idea of breaking our
    >Checkpoint architecture with an ISA that multihomes between the internal
    >network and our web dmz is just too much to ask a decent security admin
    >don't you think. Now I need ammunition to press the point home.
    Sorry, I haven't used ISA since it was Proxy Server 2, so I may have it
    wrong. But if ISA is just proxying or port forwarding the connection to
    the internal server, it's really not providing any security value. It's
    still effectively plugging the incoming connection straight through to
    the internal server. The only way I could see it being of value is if
    its doing a first level authentication of connections before allowing
    the connection through, and it has it's own user database. At least then
    it's protecting your corporate user accounts from brute force attacks.
    But then people would need to authenticate twice to use it - once to ISA
    and again to the internal server.

    >A few questions:
    >i) If any of you run an ISA for tunneling for the front end server I'd like
    >to hear if you were able to do it using single homing (the doco says it's
    >possible but not recommended and our MS admin says he can't get it to work.
    I used the old MS Proxy 2 single homed, but was only using it as an
    outgoing web proxy then.

    >ii) Scrap the ISA server, I think the front end server should be on the web
    >dmz. Does everyone agree with this? Yes, I know I have to open up all those
    >nasty MS ports but atleast I can restrict it to talking to the DC's and a
    >few other boxes - those would be hardened machines anyways.
    But this exposes your corporate user accounts on the DMZ.

    firewall-wizards mailing list

  • Next message: dave: "Re: [fw-wiz] PIX stateful failover and crossover cables"

    Relevant Pages

    • Re: The Web site cannot be found - errors
      ... problems connecting with the internet. ... Internet Connection Wizard from the server. ... > files and ISA cache on all ...
    • RE: Internet Usage Reports
      ... There is no other application on the SBS server box that can monitor ... internet activities as your needs rather than ISA server. ... Microsoft Internet Security and Acceleration Server 2004 is the ... Microsoft is providing this information as a convenience to you. ...
    • RE: ISA 2004 Rules
      ... internet website from the ISA server itself. ... All Users or SBS Internet Users ... Then can you access this problematic page from the workstation side this ...
    • Re: Connect the SBS to a remote IIS for Internet Printing
      ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
    • Re: Internet slow after SBS 2003 SP1 install
      ... you may found the root cause since DNS server is response to name ... resolution and help find destination site when you access internet. ... Microsoft CSS Online Newsgroup Support ... >> To enable ISA log: ...