Solved

Setup of OWA outside of the DMZ firewall

Posted on 2004-08-12
14
634 Views
Last Modified: 2012-05-05
                                   Internet
                                        |
                                        |
                                 -----------
                                | Firewall |
                                |             | ---------------DMZ
                                ------------                        -Webserver-
                                        |
                                        |
                               --------------
                             Internal Network
                                      -Exchange-

1.) Internal OWA works fine at: servername\exchange\flastname
2.) We are attempting to get OWA outside of the firewall on the internet to work
      a.) Question 1.  what ports do i need to open from the dmz to the interal network
      b.) Question 2.  how do i set up the IIS virtual directory to point to the exchange              directory on the internal network where the exchange machine resides

Notes:  We do not currently have a license to install a front end exchange box.  We where attempting to have a client from the internet to be able to type:  http://webmail.sitename/exchange and be redirected through a IIS 5.0 virtual directory to be able to see the OWA screen for mail.  We have looked into port 445 smb and smtp as well.  But just not sure.  Any ideas?
0
Comment
Question by:tsi_admin
  • 6
  • 3
  • 2
14 Comments
 
LVL 12

Expert Comment

by:BNettles73
ID: 11786728
Deployment Guide - http://www.microsoft.com/exchange/owa/
Tutorial - http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html 


On the intranet firewall (which connects the DMZ and the internal network) we have to open the following ports:

For Exchange Communication:
Port 80 for HTTP
Port 691 for Link State Algorithm routing protocol
For Active Directory communication:
Port 389 for LDAP (TCP and UDP)
Port 3268 for Global Catalog Server LDAP (TCP)
Port 88 for Kerberos Authentication (TCP and UDP)
Note: You should now configure the DSAccess service for perimeter networks on your Frontend Server. At first you should disable the check for available disk space at netlogon by using RPC. This can be done by changing the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess
Registry Value: DisableNetlogonCheck
Value Type: REG_DWORD
Value Data: 1

In addition to this you should prevent DSAccess from pinging domain controllers. This can be done by creating the following key on your Frontend Server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess
Registry Value: LdapKeepAliveSecs
Value Type: REG_DWORD
Value Data: 0

Then you should configure your Exchange Frontend Server to connect to the DC and GC you want by editing the server properties in Exchange System Manager.

For DNS communication:
Port 53 for DNS (TCP and UDP)
For RPC communication:
Port 135 – RPC endpoint mapper (TCP)
Ports 1024 and higher for RPC services
Note: You can limit RPCs across the firewall by editing the registry of all your DCs. You should now change the registry setting of the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Registry Value: TCP/IP Port
Value Type: REG_DWORD
Value Data: (available port)

If you are using IPSec between Frontend- and Backend Servers you have to open:

Port 500 for IKE (UDP)
Port 51 for Authentication Header (AH)
Port 50 for Encapsulation Protocol (ESP)

0
 

Author Comment

by:tsi_admin
ID: 11787003
Currently we do not have the license to install an exchange front end server in the dmz.  Any other ideas.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 11787046
I was more or less answering your question about what ports need to be opened ... I don't think you are going to be able to accomplish what you are trying to do in your second question ...

Why don't you NAT your OWA back inside and just remove the DMZ server or leave it for WWW use .... this isn't secure but many small-medium businesses use this type of OWA connectivity ..
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 11787061
I meant "this isn't as secure" ... of course that is a matter of perception ...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11787612
While complicate matters.
Just get a certificate for OWA, and punch 443 through the firewall ONLY to your Exchange server.
Saves making the firewall in to swiss cheese and retains control over the network and OWA.

I'll repeat what I said elsewhere on this forum yesterday - there are NO valid reasons to put an OWA server in the DMZ.

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 12

Expert Comment

by:BNettles73
ID: 11787767
I guess we'll have to agree to disagree, Simon =)
0
 

Author Comment

by:tsi_admin
ID: 12115981
How do I go about Setting up NAT so that users on the outside go to the webserver in the dmz and are NAT'ed back to the internal network?  Can I setup the Nat on the 2000 box webserver in the dmz and point it through my already open port 80/443?

                                    Internet
                                        |
                                        |
                                 -----------
                                | Firewall |
                                |             | ---------------DMZ
                                ------------                        -Webserver-
                                        |
                                            Open Pors from DMZ to Protected Network: 80/443
                                        |
                               --------------
                             Internal Network
                                      -Exchange-
0
 
LVL 12

Accepted Solution

by:
BNettles73 earned 250 total points
ID: 12117794

do you have more than 1 public IP or no?

More than 1 IP:

setup your external DNS records for your OWA website - Example:  owa1.domain.com
NAT your public IP to the internal OWA server
Open 80 and 443 to the server

I've never been in a situation where I only had 1 public IP so I can't give you any solid advice if you are looking to maintain the same DNS space for two servers ... I would imagine you would need to modify the ports or maybe use host headers ... Simon could probably advise you a little better on the 1 IP scenario ..
0
 

Author Comment

by:tsi_admin
ID: 12123736
Currently I have only 1 public IP.  Port 80 & 443 are already open and the DNS A record is already created

xmail.domain.com pointing to my 1 public IP address.

How would I setup the NAT from my public IP to the internal server?  Just through configuring Routing & remote Access?
0
 
LVL 104

Assisted Solution

by:Sembee
Sembee earned 250 total points
ID: 12123891
Your firewall usually does the NAT. As you only have one IP address simple port forwarding will do the NAT by default.

Where things get tricky is having mutiple web sites.
Exchange OWA needs direct communication with the client - you cannot go through another server. This looks like you have a web site in the DMZ.

Therefore I would setup the following...

OWA on port 443 - port forwarding to the internal IP address of Exchange
Website on port 80 - port forwarding to the DMZ address of the web server.

I cannot see any other way of doing it with 1 ip address.

Simon.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 14271214
I answered his question and I think Sembee gave him another option. Both valid responses.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now