RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good

From: Behm, Jeffrey L. (
Date: 11/17/05

  • Next message: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
    To: <>
    Date: Thu, 17 Nov 2005 11:31:42 -0600

    The DMZ server (i.e. reverse proxy-type server) should be able to do
    more than just port filtering and *shouldn't* require all those ports to
    be open. It should be able to do various application level checks as
    well, before the request makes it into your network.

    Look at CipherTrust's IronWebMail front end (that sits in a DMZ) for
    example. It does more than just port filtering and doesn't require a ton
    of open ports through the firewall, just normal web traffic. Other
    "reverse-proxy" front ends should behave similarly, although perhaps not
    as robustly.

    *DON'T* let your MS admins dictate the security of the network. If you
    do, you'd be better off to just put the exchange servers directly on the
    Internet ;-)... <sarcasm>It'd be just as secure, faster (due to no
    firewall latency), and less configuration issues.</sarcasm>


    -----Original Message-----
    [] On Behalf Of Ravdal,
    Sent: Thursday, November 17, 2005 9:50 AM
    Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a

    Hi everyone,

    I hope that someone has been through this before and have some
    substantial arguments for/against:

    Our MS admins are proposing to implement single OWA/Exchange servers
    on the LAN and allow access directly to the server through the firewall.
    The primary reason for doing it this way is to reduce the cost of the
    front-end server that would otherwise reside in a DMZ. Their argument
    is that with OWA 2003 you have to have a bunch of ports open anyway
    and so what is the reason to put a front end server in the DMZ - if
    that server were compromised they would practically have access to the
    network anyway. With the OWA/Exchange server inside the firewall
    access from the Internet can be limited to 80 and/or 443 only.

    My concern is that with the next OWA vulnerability someone will own
    the server in the DMZ through a single exploit. However, I cannot
    find anything that suggests that the front end server solution is
    really any more secure. Yeah it's another hop but it would be an easy
    one as soon as the front end server is compromised.

    firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"

    Relevant Pages

    • RE: Printing Issue
      ... Opened the two or three ports it needed ... firewall and nothing is being denied access. ... so you put the TS in a DMZ and open ports ... >Microsoft MVP - Terminal Server ...
    • Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
      ... > fairly tight(only allowing 4 ports in), but perhaps I could tighten it ... The host systems firewall rules govern the access to the jailed system. ... What connections does your server need to ... Perhaps there is a 0-day for your ftp server out there. ...
    • Re: Unable to join AD domain from DMZ network
      ... To me that points to something outside the machine (Firewall most likely culprit) ... > the captured traffic between the server in DMZ to the DC from internal ... >>> authentication from DMZ to 2003 AD internal network. ...
    • Re: Best practice to setup a DMZ? (hyperV and guests)
      ... this time with an edge server (its my understanding that the ... So my goal here is to setup this edge server for OCS and setup exchange 2010 ... correctly dmz wise (not clear on how that would be yet.. ... The most common setup is the back to back firewall model, where you have one firewall between the Internet and the DMZ and another between the DMZ and the LAN. ...
    • Re: Add 2nd NIC after intial install?
      ... My biggest question with 1 NIC is: even if workstations are protected with individual firewall products, what is protecting the SBS server itself if ports are open for remote access through the Linksys firewall? ...