RE: [fw-wiz] PIX -> ISA -> OWA Configuration

From: Mark Tinberg (
Date: 05/04/05

  • Next message: James Richards: "Re: [fw-wiz] Hopefully not too OT"
    To: Ben Nagy <>
    Date: Tue, 3 May 2005 18:25:52 -0500 (CDT)

    Hash: SHA1

    On Tue, 3 May 2005, Ben Nagy wrote:

    > > -----Original Message-----
    > [Jason Gomes]
    > [...]
    > >
    > > What is the preferred placement for a OWA front-end server
    > > given these two possible network configurations and why?
    > >
    > > 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX
    > > Firewall] <==> [OWA] <==> [Internal Net w/Exchange Svr]
    > >
    > > 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA]
    > > <==> [PIX Firewall] <==> [Internal Net w/Exchange Svr]

    > I always internally parse these diagrams as:
    > [spaghetti] --> [hackable box] --> [pot of gold]
    > In 1) there are no controls at all between the hackable box and the pot of
    > gold. In 2) there is.

    I ask the question, are the security controls between OWA -> Internal
    DC/Exchange really helpful? Depending on the filtering you have available
    there may be very little benefit to having the OWA box on one of the other
    side of the PIX, as the OWA box needs to be a domain member and have legit
    access to the "pot of gold". Without an MS-RPC proxy you're basically
    giving OWA full access to Exchange and the DC anyway, but you are making a
    lot of pomp and circumstance with a bunch of firewall rules to support it.

    It'd be better (although the original poster probably can't sell this to
    his management) to drop the "requirement" for OWA in the first place.
    Find out what the users really _need_ to do, if they don't need remote
    access then it's easy, if all they really really need is mail then find
    another (better) webmail client that runs over IMAP which may be easier to
    proxy and monitor.

    - --
    Mark Tinberg <>
    Network Administrator, SecurePipe Inc.
    Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67
    Version: GnuPG v1.2.5 (GNU/Linux)
    Comment: For info see

    -----END PGP SIGNATURE-----
    firewall-wizards mailing list

  • Next message: James Richards: "Re: [fw-wiz] Hopefully not too OT"

    Relevant Pages

    • Red X in body of OWA new message
      ... On one machine a user is recieving ... an X in the body of their new mail message when using OWA. ... active x controls and it is in the trusted sites just ...
    • Re: Replying a e-mail using Outlook Web Access
      ... but I can't find any option in OWA that controls the reply ... format. ... Brian Tillman ...