RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good
From: Paul Melson (pmelson_at_gmail.com)
To: "'Thomas W Shinder'" <firstname.lastname@example.org>, "'Ravdal, Stig'" <SRavdal@Quiznos.com>, <email@example.com> Date: Thu, 17 Nov 2005 14:35:01 -0500
> Subject: RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a
> Hi Stig,
> The front-end/back-end Exchange Server topology was *never* about
security, it was about
> load balancing and routing.
> You can put the FE Exchange Server in a authenticated access DMZ, as I've
done many times,
> but there's no point to putting the FE Exchange Server in an anonymous
> > -----Original Message-----
> > Subject: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a
> > My concern is that with the next OWA vulnerability someone will own
> > the server in the DMZ through a single exploit. However, I cannot
> > find anything that suggests that the front end server solution is
> > really any more secure. Yeah it's another hop but it would be an easy
> > one as soon as the front end server is compromised.
I agree w/ Dr. Tom on this. The kind of stuff you have to open between
internal Exchange servers and AD domain controllers and the front-end OWA
server makes the DMZ almost pointless. You expose your internal network so
much to the OWA front-end that if it's broken into, the other servers will
fall quickly thereafter.
A better solution, in my opinion (and I must say, I am surprised that Tom
doesn't mention this) is to put ISA Server in the DMZ as a reverse proxy.
At least this way you can offload SSL and authentication to the ISA Server
in the DMZ and only open up 1 or 2 ports from it to the internal network.
The other advantage is that you can use ISA Server's web publishing rules to
restrict access to the OWA server's IIS instance to only the OWA
application, greatly reducing the attack surface of the OWA server. (If you
do this, it is worth noting that the default URLScan rules will break OWA
firewall-wizards mailing list