?
Solved

Setup of OWA outside of the DMZ firewall

Posted on 2004-08-12
14
Medium Priority
?
646 Views
Last Modified: 2012-05-05
                                   Internet
                                        |
                                        |
                                 -----------
                                | Firewall |
                                |             | ---------------DMZ
                                ------------                        -Webserver-
                                        |
                                        |
                               --------------
                             Internal Network
                                      -Exchange-

1.) Internal OWA works fine at: servername\exchange\flastname
2.) We are attempting to get OWA outside of the firewall on the internet to work
      a.) Question 1.  what ports do i need to open from the dmz to the interal network
      b.) Question 2.  how do i set up the IIS virtual directory to point to the exchange              directory on the internal network where the exchange machine resides

Notes:  We do not currently have a license to install a front end exchange box.  We where attempting to have a client from the internet to be able to type:  http://webmail.sitename/exchange and be redirected through a IIS 5.0 virtual directory to be able to see the OWA screen for mail.  We have looked into port 445 smb and smtp as well.  But just not sure.  Any ideas?
0
Comment
Question by:tsi_admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
14 Comments
 
LVL 12

Expert Comment

by:BNettles73
ID: 11786728
Deployment Guide - http://www.microsoft.com/exchange/owa/
Tutorial - http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html 


On the intranet firewall (which connects the DMZ and the internal network) we have to open the following ports:

For Exchange Communication:
Port 80 for HTTP
Port 691 for Link State Algorithm routing protocol
For Active Directory communication:
Port 389 for LDAP (TCP and UDP)
Port 3268 for Global Catalog Server LDAP (TCP)
Port 88 for Kerberos Authentication (TCP and UDP)
Note: You should now configure the DSAccess service for perimeter networks on your Frontend Server. At first you should disable the check for available disk space at netlogon by using RPC. This can be done by changing the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess
Registry Value: DisableNetlogonCheck
Value Type: REG_DWORD
Value Data: 1

In addition to this you should prevent DSAccess from pinging domain controllers. This can be done by creating the following key on your Frontend Server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess
Registry Value: LdapKeepAliveSecs
Value Type: REG_DWORD
Value Data: 0

Then you should configure your Exchange Frontend Server to connect to the DC and GC you want by editing the server properties in Exchange System Manager.

For DNS communication:
Port 53 for DNS (TCP and UDP)
For RPC communication:
Port 135 – RPC endpoint mapper (TCP)
Ports 1024 and higher for RPC services
Note: You can limit RPCs across the firewall by editing the registry of all your DCs. You should now change the registry setting of the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Registry Value: TCP/IP Port
Value Type: REG_DWORD
Value Data: (available port)

If you are using IPSec between Frontend- and Backend Servers you have to open:

Port 500 for IKE (UDP)
Port 51 for Authentication Header (AH)
Port 50 for Encapsulation Protocol (ESP)

0
 

Author Comment

by:tsi_admin
ID: 11787003
Currently we do not have the license to install an exchange front end server in the dmz.  Any other ideas.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 11787046
I was more or less answering your question about what ports need to be opened ... I don't think you are going to be able to accomplish what you are trying to do in your second question ...

Why don't you NAT your OWA back inside and just remove the DMZ server or leave it for WWW use .... this isn't secure but many small-medium businesses use this type of OWA connectivity ..
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 12

Expert Comment

by:BNettles73
ID: 11787061
I meant "this isn't as secure" ... of course that is a matter of perception ...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11787612
While complicate matters.
Just get a certificate for OWA, and punch 443 through the firewall ONLY to your Exchange server.
Saves making the firewall in to swiss cheese and retains control over the network and OWA.

I'll repeat what I said elsewhere on this forum yesterday - there are NO valid reasons to put an OWA server in the DMZ.

Simon.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 11787767
I guess we'll have to agree to disagree, Simon =)
0
 

Author Comment

by:tsi_admin
ID: 12115981
How do I go about Setting up NAT so that users on the outside go to the webserver in the dmz and are NAT'ed back to the internal network?  Can I setup the Nat on the 2000 box webserver in the dmz and point it through my already open port 80/443?

                                    Internet
                                        |
                                        |
                                 -----------
                                | Firewall |
                                |             | ---------------DMZ
                                ------------                        -Webserver-
                                        |
                                            Open Pors from DMZ to Protected Network: 80/443
                                        |
                               --------------
                             Internal Network
                                      -Exchange-
0
 
LVL 12

Accepted Solution

by:
BNettles73 earned 1000 total points
ID: 12117794

do you have more than 1 public IP or no?

More than 1 IP:

setup your external DNS records for your OWA website - Example:  owa1.domain.com
NAT your public IP to the internal OWA server
Open 80 and 443 to the server

I've never been in a situation where I only had 1 public IP so I can't give you any solid advice if you are looking to maintain the same DNS space for two servers ... I would imagine you would need to modify the ports or maybe use host headers ... Simon could probably advise you a little better on the 1 IP scenario ..
0
 

Author Comment

by:tsi_admin
ID: 12123736
Currently I have only 1 public IP.  Port 80 & 443 are already open and the DNS A record is already created

xmail.domain.com pointing to my 1 public IP address.

How would I setup the NAT from my public IP to the internal server?  Just through configuring Routing & remote Access?
0
 
LVL 104

Assisted Solution

by:Sembee
Sembee earned 1000 total points
ID: 12123891
Your firewall usually does the NAT. As you only have one IP address simple port forwarding will do the NAT by default.

Where things get tricky is having mutiple web sites.
Exchange OWA needs direct communication with the client - you cannot go through another server. This looks like you have a web site in the DMZ.

Therefore I would setup the following...

OWA on port 443 - port forwarding to the internal IP address of Exchange
Website on port 80 - port forwarding to the DMZ address of the web server.

I cannot see any other way of doing it with 1 ip address.

Simon.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 14271214
I answered his question and I think Sembee gave him another option. Both valid responses.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question