Solved

Setup of OWA outside of the DMZ firewall

Posted on 2004-08-12
14
637 Views
Last Modified: 2012-05-05
                                   Internet
                                        |
                                        |
                                 -----------
                                | Firewall |
                                |             | ---------------DMZ
                                ------------                        -Webserver-
                                        |
                                        |
                               --------------
                             Internal Network
                                      -Exchange-

1.) Internal OWA works fine at: servername\exchange\flastname
2.) We are attempting to get OWA outside of the firewall on the internet to work
      a.) Question 1.  what ports do i need to open from the dmz to the interal network
      b.) Question 2.  how do i set up the IIS virtual directory to point to the exchange              directory on the internal network where the exchange machine resides

Notes:  We do not currently have a license to install a front end exchange box.  We where attempting to have a client from the internet to be able to type:  http://webmail.sitename/exchange and be redirected through a IIS 5.0 virtual directory to be able to see the OWA screen for mail.  We have looked into port 445 smb and smtp as well.  But just not sure.  Any ideas?
0
Comment
Question by:tsi_admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
14 Comments
 
LVL 12

Expert Comment

by:BNettles73
ID: 11786728
Deployment Guide - http://www.microsoft.com/exchange/owa/
Tutorial - http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html 


On the intranet firewall (which connects the DMZ and the internal network) we have to open the following ports:

For Exchange Communication:
Port 80 for HTTP
Port 691 for Link State Algorithm routing protocol
For Active Directory communication:
Port 389 for LDAP (TCP and UDP)
Port 3268 for Global Catalog Server LDAP (TCP)
Port 88 for Kerberos Authentication (TCP and UDP)
Note: You should now configure the DSAccess service for perimeter networks on your Frontend Server. At first you should disable the check for available disk space at netlogon by using RPC. This can be done by changing the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess
Registry Value: DisableNetlogonCheck
Value Type: REG_DWORD
Value Data: 1

In addition to this you should prevent DSAccess from pinging domain controllers. This can be done by creating the following key on your Frontend Server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess
Registry Value: LdapKeepAliveSecs
Value Type: REG_DWORD
Value Data: 0

Then you should configure your Exchange Frontend Server to connect to the DC and GC you want by editing the server properties in Exchange System Manager.

For DNS communication:
Port 53 for DNS (TCP and UDP)
For RPC communication:
Port 135 – RPC endpoint mapper (TCP)
Ports 1024 and higher for RPC services
Note: You can limit RPCs across the firewall by editing the registry of all your DCs. You should now change the registry setting of the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Registry Value: TCP/IP Port
Value Type: REG_DWORD
Value Data: (available port)

If you are using IPSec between Frontend- and Backend Servers you have to open:

Port 500 for IKE (UDP)
Port 51 for Authentication Header (AH)
Port 50 for Encapsulation Protocol (ESP)

0
 

Author Comment

by:tsi_admin
ID: 11787003
Currently we do not have the license to install an exchange front end server in the dmz.  Any other ideas.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 11787046
I was more or less answering your question about what ports need to be opened ... I don't think you are going to be able to accomplish what you are trying to do in your second question ...

Why don't you NAT your OWA back inside and just remove the DMZ server or leave it for WWW use .... this isn't secure but many small-medium businesses use this type of OWA connectivity ..
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 
LVL 12

Expert Comment

by:BNettles73
ID: 11787061
I meant "this isn't as secure" ... of course that is a matter of perception ...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11787612
While complicate matters.
Just get a certificate for OWA, and punch 443 through the firewall ONLY to your Exchange server.
Saves making the firewall in to swiss cheese and retains control over the network and OWA.

I'll repeat what I said elsewhere on this forum yesterday - there are NO valid reasons to put an OWA server in the DMZ.

Simon.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 11787767
I guess we'll have to agree to disagree, Simon =)
0
 

Author Comment

by:tsi_admin
ID: 12115981
How do I go about Setting up NAT so that users on the outside go to the webserver in the dmz and are NAT'ed back to the internal network?  Can I setup the Nat on the 2000 box webserver in the dmz and point it through my already open port 80/443?

                                    Internet
                                        |
                                        |
                                 -----------
                                | Firewall |
                                |             | ---------------DMZ
                                ------------                        -Webserver-
                                        |
                                            Open Pors from DMZ to Protected Network: 80/443
                                        |
                               --------------
                             Internal Network
                                      -Exchange-
0
 
LVL 12

Accepted Solution

by:
BNettles73 earned 250 total points
ID: 12117794

do you have more than 1 public IP or no?

More than 1 IP:

setup your external DNS records for your OWA website - Example:  owa1.domain.com
NAT your public IP to the internal OWA server
Open 80 and 443 to the server

I've never been in a situation where I only had 1 public IP so I can't give you any solid advice if you are looking to maintain the same DNS space for two servers ... I would imagine you would need to modify the ports or maybe use host headers ... Simon could probably advise you a little better on the 1 IP scenario ..
0
 

Author Comment

by:tsi_admin
ID: 12123736
Currently I have only 1 public IP.  Port 80 & 443 are already open and the DNS A record is already created

xmail.domain.com pointing to my 1 public IP address.

How would I setup the NAT from my public IP to the internal server?  Just through configuring Routing & remote Access?
0
 
LVL 104

Assisted Solution

by:Sembee
Sembee earned 250 total points
ID: 12123891
Your firewall usually does the NAT. As you only have one IP address simple port forwarding will do the NAT by default.

Where things get tricky is having mutiple web sites.
Exchange OWA needs direct communication with the client - you cannot go through another server. This looks like you have a web site in the DMZ.

Therefore I would setup the following...

OWA on port 443 - port forwarding to the internal IP address of Exchange
Website on port 80 - port forwarding to the DMZ address of the web server.

I cannot see any other way of doing it with 1 ip address.

Simon.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 14271214
I answered his question and I think Sembee gave him another option. Both valid responses.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EXCH2013 DB 3 16
Autodiscover is not working for one user 1 35
exchange 2007 5 20
Offline address book Exchange 2010 Warning 30 32
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question