RE: Ye Olde OWA Topic (Was RE: Website inside or outside domain)

From: shannong (
Date: 02/15/03

  • Next message: Erik Birkholz: "RE: website inside or outside the domain?"
    From: "shannong" <>
    To: "'Henry Sieff'" <>, <>
    Date: Sat, 15 Feb 2003 12:08:40 -0600

    Of course, if you're using a VPN device then there's no need to deal
    with any DMZs or any other separation of OWA from your inside network.
    You just VPN to the network and then connect to OWA/Exchange which
    resides "next" to Exchange. This of course requires client side
    software and configuration.

    I'm working for a customer right now where we are deploying a
    reverse-proxy that does authentication of the users on the Internet
    before allowing them access to any inside web servers. All requests are
    re-written to look as though they came from the proxy. This is probably
    the best method to deploy web servers to the Internet securely.

    Of use your firewall to authenticate. Although users still access the
    servers directly, the firewall can authenticate the user before allowing
    them to access the services. Checkpoint and Pix firewalls can do this.
    In Pix 6.3 due out in March, the Pix will be able to do secure
    authentication for HTTP and HTTPS before allowing access.

    -----Original Message-----
    From: Henry Sieff []
    Sent: Thursday, February 13, 2003 10:24 AM
    Subject: Ye Olde OWA Topic (Was RE: Website inside or outside domain)

    > -----Original Message-----
    > From: KEITH KOOYMAN []
    > Sent: Wednesday, February 12, 2003 3:00 PM
    > To:
    > Subject: RE: Website inside or outside domain
    > As I have followed this thread I have noticed that no one has
    > addressed the
    > similarities between this situation and OWA. Essentially,
    > this is much the
    > same scenario, where a public web server is in the DMZ and
    > the question is:
    > How do I allow access to the back-end Exchange Server?

    The same logic applies: IF you must do ANY of these, then you have to
    establish some sort of control over access to the OWA server itself; it
    can't just be a public web server. You can do this through a VPN, with
    OWA server being at one end and your pre-approved clients being at the
    end. Put the OWA server on its own segement with whatever VPN device you
    choose, and then you can open up holes between OWA and the backend,
    you have established a reasonable level of assurance that the only
    coming into that segment is legit.

    > You can:
    > 1. Put a firewall between the DMX and the LAN (many firewalls have a
    > preconfigured DMZ so a second firewall is not needed) and
    > open up so many
    > ports from the DMZ to the LAN that the firewall is useless =
    > the official
    > Microsoft solution

    Bad (but mitigated by the suggestion above).

    > 2. You can leave the front-end in the DMZ and use pass-through
    > authentication which takes web traffic straight to your
    > back-end = not
    > desireable

    Might as well not even use OWA at that point; I mean, its not like the
    interface is that great.

    > 3. Multi-home the front-end public web server, use TCP/IP
    > filters, IPSEC
    > and firewall rules to filter, authenticate and encrypt
    > traffic going to the
    > back-end; a good idea but time consuming and difficult to set up

    Horrible horrible horrible. At that point, you are essentially putting
    of your faith in the integrity of the software and in your ability to
    the rule sets. All it takes is one mistaken mouse-click and presto, your
    server is now routing from your DMZ to your LAN. And, you are also
    that your public web server can be hardenend enough to make it a
    (that is, a device enforcing a boundary between different trust levels);
    can't be done.

    > 4. Move the front-end public web server to the LAN = not desirable

    Again, why not just move the Exchange server to the DMZ and ditch OWA;
    level of security, better interface, less moving parts.

    > 5. Use a third party hybrid solution = expensive

    Depends what you mean. Add an additional leg to your network, throw in a
    device (and I think you can probably even use PPTP running on a hardened
    Win2K server and get away with it; at least you get some benefit) and
    basically done. You can do it all on *BSD too. Doesn't have to be
    although the judging factor is how much the security is worth to you.