Re: [fw-wiz] PIX -> ISA -> OWA Configuration

From: Jason Gomes (greyline_at_phreaker.net)
Date: 05/04/05

  • Next message: Jason Gomes: "Re: [fw-wiz] PIX -> ISA -> OWA Configuration"
    To: Paul Melson <psmelson@comcast.net>
    Date: Tue, 03 May 2005 21:53:13 -1000
    
    

    It sounds like you would completely and solely trust ISA to protect OWA
    and your entire internal network.

    In #2 if either the ISA or OWA server is compromised, wouldn't the
    back-end firewall limit the potential damage that could be done to the
    Internal Network? ACLs would dictate which of those AD ports would be
    allowed open and to specific, hardened, back-end servers.

    In #1, a single exploit against OWA (ignoring any protection ISA may
    provide which would be available in both scenarios) would allow an
    attacker free reign to target anything internally without restriction.

    Paul Melson wrote:
    > Definitely. In #1, if the ISA server is configured via the OWA publishing
    > wizard, it will create ACL's that prevent requests that don't match
    > /exchange/* from being passed to IIS. You can also run urlscan at the ISA
    > server (though it requires some tweaking to keep from breaking some of OWA's
    > functionality).
    >
    > In #2, the same thing applies, but should the ISA server be compromised say
    > via buffer overflow, then there is no protection for the internal AD domain,
    > since those holes must be punched straight through the firewall (and they
    > are BIG holes).
    >
    > PaulM
    >
    > -----Original Message-----
    > Subject: Re: [fw-wiz] PIX -> ISA -> OWA Configuration
    >
    > Definitely? Under #1 it seems like something as simple as a directory
    > traversal attack against IIS/OWA that manages to get through ISA leaves your
    > entire internal network exposed. Under #2 it appears to me that an attacker
    > would need at the very least a second exploit to gain further access to the
    > trusted network.
    >
    >
    >>-----Original Message-----
    >>What is the preferred placement for a OWA front-end server given these
    >>two possible network configurations and why?
    >>
    >>1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall]
    >><==> [OWA] <==> [Internal Net w/Exchange Svr]
    >>
    >>2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==>
    >>[PIX Firewall] <==> [Internal Net w/Exchange Svr]
    >
    >
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Jason Gomes: "Re: [fw-wiz] PIX -> ISA -> OWA Configuration"

    Relevant Pages

    • Re: odd owa issue
      ... Since you access the OWA from external thru ... On the SBS 2003 Server open the Server Management console. ... Please open the ISA management console, ...
      (microsoft.public.windows.server.sbs)
    • RE: ISA Error ID 21174
      ... many remote services such as RDP, OWA and Companyweb no longer worked. ... in ISA server 2000 or 2004 web publishing rules. ... Which version is the ISA Server, ...
      (microsoft.public.windows.server.sbs)
    • Re: ISA 2006 mit RSA - Publishing mit Standardauthentifizierung
      ... Ich habe einen Exchange 2007 Server mit Formularbasierter Authentifizierung ... Folgender Fehler wird im ISA Log angezeigt: ... Absichern des OWA Front End mit RSA Agent for Web incl SSO. ...
      (microsoft.public.de.german.isaserver)
    • RE: ICMP error when trying to access OWA on SBS 2003 Premium
      ... we do not need to configure the certificate or ISA ... OWA publish rule or IIS manually. ... On the SBS 2003 Server open the Server Management console. ... Click the "Connect to the Internet" link. ...
      (microsoft.public.windows.server.sbs)
    • RE: ICMP error when trying to access OWA on SBS 2003 Premium
      ... we do not need to configure the certificate or ISA ... OWA publish rule or IIS manually. ... On the SBS 2003 Server open the Server Management console. ... Click the "Connect to the Internet" link. ...
      (microsoft.public.windows.server.sbs)