RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good
From: Thomas W Shinder (tshinder_at_tacteam.net)
Date: 11/17/05
- Previous message: Paul D. Robertson: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- Maybe in reply to: Ravdal, Stig: "[fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- Next in thread: Paul Melson: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- Reply: Paul Melson: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Ravdal, Stig" <SRavdal@Quiznos.com>, <firewall-wizards@honor.icsalabs.com> Date: Thu, 17 Nov 2005 11:30:09 -0600
Hi Stig,
The front-end/back-end Exchange Server topology was *never* about
security, it was about load balancing and routing.
You can put the FE Exchange Server in a authenticated access DMZ, as
I've done many times, but there's no point to putting the FE Exchange
Server in an anonymous access DMZ.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of Ravdal, Stig
> Sent: Thursday, November 17, 2005 9:50 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet
> Access - a good
>
> Hi everyone,
>
> I hope that someone has been through this before and have some
> substantial arguments for/against:
>
> Our MS admins are proposing to implement single OWA/Exchange servers
> on the LAN and allow access directly to the server through
> the firewall.
> The primary reason for doing it this way is to reduce the cost of the
> front-end server that would otherwise reside in a DMZ.
> Their argument
> is that with OWA 2003 you have to have a bunch of ports open anyway
> and so what is the reason to put a front end server in the DMZ - if
> that server were compromised they would practically have
> access to the
> network anyway. With the OWA/Exchange server inside the firewall
> access from the Internet can be limited to 80 and/or 443 only.
>
> My concern is that with the next OWA vulnerability someone will own
> the server in the DMZ through a single exploit. However, I cannot
> find anything that suggests that the front end server solution is
> really any more secure. Yeah it's another hop but it would
> be an easy
> one as soon as the front end server is compromised.
>
> Thoughts?
>
> Thanks,
>
> Stig
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul D. Robertson: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- Maybe in reply to: Ravdal, Stig: "[fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- Next in thread: Paul Melson: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- Reply: Paul Melson: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
