RE: Exchange Server and External Access

From: Rick Kingslan (rkingsla_at_cox.net)
Date: 08/23/03

  • Next message: Meidinger Chris: "RE: traceroute-like tool for UDP or TCP packet" 
    To: "'Cherian M. Palayoor'" <cpalayoor@cwalkergroup.com>, <security-basics@securityfocus.com>
Date: Fri, 22 Aug 2003 19:35:56 -0500

    Cherian,

    Make use of the Front End/Back End capability of Exchange when hooked up
    with Outlook Web access. You would put the OWA box in your DMZ (IIS is
    here, treat as untrusted and be sure to implement full lockdown - URLScan
    must be modified, but this is well documented) and enable SSL. Your
    external interface would expose 80 and 443, the port requirement from the
    OWA server to the Back End Exchange servers would be HTTP - Port 80 only.

    All of the authentication/authorization takes place behind the OWA box -
    much less exposed to untrusted sources. Because the only option for
    authentication between the FE and the BE is Basic, it is sometimes suggested
    (and urged) to SSL the traffic between the FE and the BE. The BE server
    will handle the communication to the DCs and the GC (or GAL, whichever way
    you want to look at it).

    So, to summarize - External, Port 80 and 443. OWA(FE) to Exchange Server
    (BE) Port 80 or 443 (if security of user name and password is desired
    between FE and BE).

    All of this assumes that the most critical element, the Exchange server with
    the message stores, is on the Internal, or most trusted network. Hence, no
    port concerns would be in play for RPC, GC, LDAP, or any other squishy
    Microsoft-type traffic..

    -rtk

    -----Original Message-----
    From: Cherian M. Palayoor [mailto:cpalayoor@cwalkergroup.com]
    Sent: Friday, August 22, 2003 12:26 PM
    To: security-basics@securityfocus.com
    Subject: Exchange Server and External Access

    Hi,

    We presently use the Std edition of Exchange 2000 as a mail server for our
    internal users, behind the Firewall.

    However we would like to grant mailbox access to external users outside the
    Firewall.

    What would be the most secure and efficient method of accomplishing this.

    One stream of thought that I have been entertaining is having a separate
    Exchange/Mail Server on the DMZ.

    Now this solution would result in having to maintain 2 separate mailboxes
    for internal and external users. This creates problems for users who would
    access their emails from both inside and outside the office.

    How can I workaround this problem.

    Thanks in advance for any suggestions.

    Regards

    CP

     Scanned by Webshield E250

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Meidinger Chris: "RE: traceroute-like tool for UDP or TCP packet"

    Relevant Pages