RE: [fw-wiz] PIX -> ISA -> OWA Configuration

From: Paul Melson (psmelson_at_comcast.net)
Date: 05/03/05

  • Next message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Hopefully not too OT"
    To: "'Jason Gomes'" <greyline@phreaker.net>
    Date: Tue, 3 May 2005 09:06:34 -0400
    
    

    Definitely. In #1, if the ISA server is configured via the OWA publishing
    wizard, it will create ACL's that prevent requests that don't match
    /exchange/* from being passed to IIS. You can also run urlscan at the ISA
    server (though it requires some tweaking to keep from breaking some of OWA's
    functionality).

    In #2, the same thing applies, but should the ISA server be compromised say
    via buffer overflow, then there is no protection for the internal AD domain,
    since those holes must be punched straight through the firewall (and they
    are BIG holes).

    PaulM

    -----Original Message-----
    Subject: Re: [fw-wiz] PIX -> ISA -> OWA Configuration

    Definitely? Under #1 it seems like something as simple as a directory
    traversal attack against IIS/OWA that manages to get through ISA leaves your
    entire internal network exposed. Under #2 it appears to me that an attacker
    would need at the very least a second exploit to gain further access to the
    trusted network.

    > -----Original Message-----
    > What is the preferred placement for a OWA front-end server given these
    > two possible network configurations and why?
    >
    > 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall]
    > <==> [OWA] <==> [Internal Net w/Exchange Svr]
    >
    > 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==>
    > [PIX Firewall] <==> [Internal Net w/Exchange Svr]

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Hopefully not too OT"

    Relevant Pages

    • Re: L2TP-EAP
      ... The configurations are ... I have a Standalone root CA ... Isa Server 2004 Standard ... I'm trying to setup PEAP on EAP Methods in my remote ...
      (microsoft.public.isa.vpn)
    • Re: NNTP access
      ... ISA server in cache-only (proxy) mode has nothing to do with protocols other ... Your client computers shouldn't use the ISA as their default gateway and you ... Take a look at the 'Troubleshooting Unsupported Configurations in ISA Server ...
      (microsoft.public.isa)
    • Migration Error ISA Server 2004
      ... I am testing the migration of ISA Server 2000 SP2 running on Windows Server ... these in any articles or docs. ... I used the migration tool from the CD to export the ISA 2000 configurations. ...
      (microsoft.public.isaserver)
    • Mail Server Security Wizard Configuration
      ... Security wizard on ISA server. ... properly will it secure the internal mail services to ... how does it hosts and secure the mail ... configurations which, i can apply it on the ISA very ...
      (microsoft.public.isa)
    • Migration Error ISA Server 2004
      ... I am testing the migration of ISA Server 2000 SP2 running on Windows Server ... these in any articles or docs. ... I used the migration tool from the CD to export the ISA 2000 configurations. ...
      (microsoft.public.isa)