Solved

Setup of OWA outside of the DMZ firewall

Posted on 2004-08-12
14
633 Views
Last Modified: 2012-05-05
                                   Internet
                                        |
                                        |
                                 -----------
                                | Firewall |
                                |             | ---------------DMZ
                                ------------                        -Webserver-
                                        |
                                        |
                               --------------
                             Internal Network
                                      -Exchange-

1.) Internal OWA works fine at: servername\exchange\flastname
2.) We are attempting to get OWA outside of the firewall on the internet to work
      a.) Question 1.  what ports do i need to open from the dmz to the interal network
      b.) Question 2.  how do i set up the IIS virtual directory to point to the exchange              directory on the internal network where the exchange machine resides

Notes:  We do not currently have a license to install a front end exchange box.  We where attempting to have a client from the internet to be able to type:  http://webmail.sitename/exchange and be redirected through a IIS 5.0 virtual directory to be able to see the OWA screen for mail.  We have looked into port 445 smb and smtp as well.  But just not sure.  Any ideas?
0
Comment
Question by:tsi_admin
  • 6
  • 3
  • 2
14 Comments
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
Deployment Guide - http://www.microsoft.com/exchange/owa/
Tutorial - http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html


On the intranet firewall (which connects the DMZ and the internal network) we have to open the following ports:

For Exchange Communication:
Port 80 for HTTP
Port 691 for Link State Algorithm routing protocol
For Active Directory communication:
Port 389 for LDAP (TCP and UDP)
Port 3268 for Global Catalog Server LDAP (TCP)
Port 88 for Kerberos Authentication (TCP and UDP)
Note: You should now configure the DSAccess service for perimeter networks on your Frontend Server. At first you should disable the check for available disk space at netlogon by using RPC. This can be done by changing the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess
Registry Value: DisableNetlogonCheck
Value Type: REG_DWORD
Value Data: 1

In addition to this you should prevent DSAccess from pinging domain controllers. This can be done by creating the following key on your Frontend Server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess
Registry Value: LdapKeepAliveSecs
Value Type: REG_DWORD
Value Data: 0

Then you should configure your Exchange Frontend Server to connect to the DC and GC you want by editing the server properties in Exchange System Manager.

For DNS communication:
Port 53 for DNS (TCP and UDP)
For RPC communication:
Port 135 – RPC endpoint mapper (TCP)
Ports 1024 and higher for RPC services
Note: You can limit RPCs across the firewall by editing the registry of all your DCs. You should now change the registry setting of the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Registry Value: TCP/IP Port
Value Type: REG_DWORD
Value Data: (available port)

If you are using IPSec between Frontend- and Backend Servers you have to open:

Port 500 for IKE (UDP)
Port 51 for Authentication Header (AH)
Port 50 for Encapsulation Protocol (ESP)

0
 

Author Comment

by:tsi_admin
Comment Utility
Currently we do not have the license to install an exchange front end server in the dmz.  Any other ideas.
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
I was more or less answering your question about what ports need to be opened ... I don't think you are going to be able to accomplish what you are trying to do in your second question ...

Why don't you NAT your OWA back inside and just remove the DMZ server or leave it for WWW use .... this isn't secure but many small-medium businesses use this type of OWA connectivity ..
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
I meant "this isn't as secure" ... of course that is a matter of perception ...
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
While complicate matters.
Just get a certificate for OWA, and punch 443 through the firewall ONLY to your Exchange server.
Saves making the firewall in to swiss cheese and retains control over the network and OWA.

I'll repeat what I said elsewhere on this forum yesterday - there are NO valid reasons to put an OWA server in the DMZ.

Simon.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
I guess we'll have to agree to disagree, Simon =)
0
 

Author Comment

by:tsi_admin
Comment Utility
How do I go about Setting up NAT so that users on the outside go to the webserver in the dmz and are NAT'ed back to the internal network?  Can I setup the Nat on the 2000 box webserver in the dmz and point it through my already open port 80/443?

                                    Internet
                                        |
                                        |
                                 -----------
                                | Firewall |
                                |             | ---------------DMZ
                                ------------                        -Webserver-
                                        |
                                            Open Pors from DMZ to Protected Network: 80/443
                                        |
                               --------------
                             Internal Network
                                      -Exchange-
0
 
LVL 12

Accepted Solution

by:
BNettles73 earned 250 total points
Comment Utility

do you have more than 1 public IP or no?

More than 1 IP:

setup your external DNS records for your OWA website - Example:  owa1.domain.com
NAT your public IP to the internal OWA server
Open 80 and 443 to the server

I've never been in a situation where I only had 1 public IP so I can't give you any solid advice if you are looking to maintain the same DNS space for two servers ... I would imagine you would need to modify the ports or maybe use host headers ... Simon could probably advise you a little better on the 1 IP scenario ..
0
 

Author Comment

by:tsi_admin
Comment Utility
Currently I have only 1 public IP.  Port 80 & 443 are already open and the DNS A record is already created

xmail.domain.com pointing to my 1 public IP address.

How would I setup the NAT from my public IP to the internal server?  Just through configuring Routing & remote Access?
0
 
LVL 104

Assisted Solution

by:Sembee
Sembee earned 250 total points
Comment Utility
Your firewall usually does the NAT. As you only have one IP address simple port forwarding will do the NAT by default.

Where things get tricky is having mutiple web sites.
Exchange OWA needs direct communication with the client - you cannot go through another server. This looks like you have a web site in the DMZ.

Therefore I would setup the following...

OWA on port 443 - port forwarding to the internal IP address of Exchange
Website on port 80 - port forwarding to the DMZ address of the web server.

I cannot see any other way of doing it with 1 ip address.

Simon.
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
I answered his question and I think Sembee gave him another option. Both valid responses.
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now