Question

Possible placement of OWA on DMZ of Pix 515E

Asked by: ebwood74

I am deliberating, debating, and looking for a solution to allow public access to OWA for our company.  I would like to accomplish a high level of security, by use of existing resources, minimize expenditures, and a seemlessly implemention.  

We currently have a Cisco Pix 515 firewall with 3 interface cards, one for Internal, External, and DMZ.  We have a SMTP server (running Symantec Mail Security for Gateways) in the dmz that scans email for virus' and spam, and if clean it is sent internally to our Exchange 2000 std. server.  I do not want to touch the EX 2000 server, as it houses about 800 mail clients, as well it currently hosts OWA.  We are not currently using ssl to the OWA site, but I would like to implement it.  Currently we are port forwarding from the external interface of the pix on port 80 to the internal owa site on the exchange server.  No hardening of the IIS, etc. has been done.

I am thinking of a modular approach, and installing another server to host OWA externally (DMZ).  I have looked at various MS documents on "front end" exchange servers, and it looks like if I went that route, I would have to install Exchange 2003 std. and make it a front end server, that would sit on the DMZ.  We currently have a license for EX 2003 Std.  I also have read alot of recommendations for using ISA to reverse proxy to the OWA front end server.  I am not a fan of this, and again, want to use what I have.  I am concerned however of opening too many ports to my internal servers.  

I have also read of folks using Linux/Apache and ISA to reverse proxy.  As far as using linux, I am not sure I could recommend this to my boss, because we are a large MS shop, and no one there really knows unix that well.  I might could get this going, I have experience with several different flavors of unix in past years.

I would appreciate any suggestions, comments, recommendations, or sample configurations that might point me in the right direction if I do choose to go forward with the exchange 2003 std as a front end server, on the DMZ of my pix.  Please let me know if I need to provide any further detail...

Thanks,
Bryan

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-12-29 at 10:41:14ID21256625
Tags

owa

,

dmz

,

pix

Topic

Exchange Email Server

Participating Experts
2
Points
500
Comments
4

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco Pix 515E and possible Outlook Web Access on DMZ
    I am deliberating, debating, and looking for a solution to allow public access to Outlook Web Access (OWA) for our company. I would like to accomplish a high level of security, by use of existing resources, minimize expenditures, and a seemlessly implemention. We currentl...
  2. OWA, DMZ, ISA Server, PIX
    Hi All I have a PIX sitting between my inside and outside network. I want to setup a DMZ for OWA but I am a little unsure on how to do this. So far I have setup the pix to open port 443 and 80 to forward requests to a front end exchange server and install a certificate on th...
  3. ISA behind PIX
    Hi, This is how I hope to deploy a new isa server for caching, content-filtering and publishing our backend exchange server with OWA: Internet<router<pix-outside---pix-inside<isa2004<LAN I have see some posts on EE that recommend using a single nic config for I...
  4. Blocking Spam on PIX
    Is there anyway to implement spam blocking on a PIX 501? Thank You
  5. PIX and OWA
    Ok, I've read it all and still don't have the anwer: PIX to SMTP gateway to Barracuda SPAM to Exchange server. The smtp was giving me lots of trouble so I took it down. Email worked great going through barracuda. Problem: OWA How do I open a port in PIX so outside users...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: SembeePosted on 2004-12-29 at 13:01:57ID: 12921998

What is your reason for putting a domain member and Exchange server in to a DMZ?
No one has given me a valid reason for doing so to date.

The most common reason is because people think it will increase security.
It doesn't.

For an Exhcange to communicate through a firewall a number of ports need to be opened, and dynamic ports in Exchange must be made static.
This basically turns your firewall in to swiss cheese. Your DMZ machine gets compromised the attacker has a clear run in to your domain.

Instead leave everything inside. Open port 25 (SMTP) and 443 (SSL) only from the Internet to your Exchange server. This means you only have two ports open. I operate the policy of the least ports open as possible.

If there is still unease about having an Exchange server directly exposed to the Internet then put something inbetween. OWA needs to be still exposed but Windows 2003 makes an excellent relay server. MS even have an article on how to set it up:  http://support.microsoft.com/default.aspx?kbid=324272

Simon.

 

by: ebwood74Posted on 2004-12-29 at 15:08:13ID: 12922771

I am only interested in OWA, or port 80/443 proxying, etc.  Port 25 with SMTP is well taken care of.  

I would like to separate OWA off the production server, that all 800 clients connect to on the internal network for their Outlook client.  Yes I would like to increase security, and I know that this could be argued against.   I see it as this; the internal network is a private class of IP's (192.168.125.0), the DMZ is a private class of ip's (192.168.1.0), and the external interface has a public ip.  They are both non routable, NAT'd networks, and to expose a port to either specific server IP's on the DMZ, or Internal nets, and they are translated to the external interface.  Specific ports, say port 80 from the external inteface, to the DMZ server IP on port 80.  This would be the same process/result as if you forwarded it through to the internal exchange server's ip.

The thing that I think it gets me is that it is a separate server, that if compromised, doesn't down my production server on the internal network.  I guess this depends on the attack, and the payload...  It would have to be hacked at the IIS level port 80 or 443 if that is all that is exposed externally.  If somehow someone could take over the computer from either of those ports 80/443, and ride it through on the specific ports to specific IP's on the internal network (which they would have no idea what servers and ports were in the ACL), then I suppose they could possibly get into the internal network.  I would think it to be  M U C H  more difficult to accomplish to gain "full" access to the internal network in this manner, than if it we port forwarded 80/443 to the internal server ip.  

This scenario opens more ports than I would like, but I feel it is an improvement over forwarding to internal network.  Also as a FE server the server would have no Data stores on them, and all services but IIS would be running on it for it to process OWA, the authentication, and data would be served up from the internal network servers.  Unlike what you recommend, the internal exchange server has data stores on it, that could be compromised.  I do not want to compromise the security and reliability of my internal exchange server.

What something's would you suggest to put in between Exchange and OWA.  Any examples, or configurations?

What type of firewall are you using?

Thanks,
Bryan

 

by: SembeePosted on 2004-12-29 at 16:31:57ID: 12923166

Most of the installs I am using are Cisco PIX - either 501 (small sites) or 515 (larger).
In all cases all Exchange servers are inside. A front-end/back-end is still a valid choice for you, especially with 800 users. The load it will take off the back-end will improve things.
A DMZ by definition is less well protected than the inside network.
The attack doesn't have to go in directly on the two ports that are exposed to the Internet. If another machine in the DMZ - perhaps a workgroup machine is compromised then the attacker has a clear run at your OWA machine to use as a hop, and then in to production.

The whole argument I use is that you should have the least ports open to the production inside network as possible, whether this is from the DMZ or the Internet.
443 and 25 have got to come in somehow. I personally feel that there is less risk having 443 open directly to the Internet than any oher configuration.
One of the Exchange MVPs actually said on another forum "There are no valid reasons for an Exchange server to be in the DMZ". The number of compromises that you must make to get the server to operate correctly reduce the internal security of Exchange as well.

As for sitting something between Exchange/OWA and the Internet, your choices from Microsoft's point of view are limited to just one - ISA. Microsoft refer to ISA as a firewall, but I prefer a dedicated firewall to do the job.
You could also look at some kind of SSL appliance which has been built for the job. That should be able to sit in the DMZ and deal with SSL traffic. I haven't had a client with deep enough pockets to let me do one of those so I haven't really researched much except for a high level proof of concept.

Simon.

 

by: BlevinsM3Posted on 2005-07-27 at 05:50:08ID: 14535966

So far as Exchange 200x goes, the very best, and most secure method is as follows:
For your RPC/HTTP(s) and OWA traffic
Internet----->External Firewall (Pix, whatever u already have)------->ISA 2004 (Advanced Firewall)------->Internal Network Ex200x FE server------------->Back-End servers.

ISA 2004 is as good as it gets for stateful inspection of OWA and RPC/HTTP packets, AND is a richly featured advanced firewall. Putting a FE server on your DMZ is just a bad idea period.
A. Its a domain member, so if it gets compromised, forget it. It has to have LDAP ports opened to ALL your FSMO role holders in most cases, and at a minimum, to a Global Catalog server.
B. The Admin overhead of keeping ALL those ports opened is totally unnecessary. Here are SOME of the ports that you will have to open:
80 for HTTP
143 for IMAP
110 for POP
25 for SMTP
691 for Link State Algorithm routing protocol
· Open ports for Active Directory Communication:
TCP port 389 for LDAP to Directory Service
UDP port 389 for LDAP to Directory Service
TCP port 3268 for LDAP to Global Catalog Server
TCP port 88 for Kerberos authentication
UDP port 88 for Kerberos authentication
· Open the ports required for access to the DNS server:
TCP port 53
UDP port 53
· Open the appropriate ports for RPC communication:
TCP port 135 - RPC endpoint mapper
TCP ports 1024+ - RPC service ports
· (Optional) If you want to limit RPCs across the intranet firewall, edit the registry on servers in the intranet to limit RPC traffic to a specific port. Then open the appropriate ports on the internal firewall:
TCP port 135 – RPC endpoint mapper
TCP port 1600 (example) – RPC service port

No thanks! :-)

Instead, run ISA for all this traffic, and you'll not only have yourself a very solid internal firewall, but you'll be following "Best Practices" which is a rare thing, and will save you alot of headaches!!

Good Luck, please feel free to ask any other questions regarding this line of questioning.

BTW, ISA will statfully inspect and scrub port 25 traffic as well, much better than Cisco Pix, or Checkpoint, because it doesn't just forward a port to a host like those firewalls do. It understands SMTP verbage and protocol structure and gives you all the tools you need to clean up your incoming SMTP traffic before it even gets to your IMF (Intelligent Message Filter) if you're using it.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...