OWA in DMZ Windows Server 2003, Web Edition

Posted on 2004-10-25
Last Modified: 2010-04-19
Looking for somewhere to start. I am planning on Implementing an Exchange 2003 solution. I have requirements to secure OWA for internet users to access thier e-mail. I am trying to get away from purchasing two licenses for Exchange 2003 (front-end/back-end config.). My thoughts are to off load OWA to a server in a DMZ. I am not sure if this is possible without installing Exchange on that box too, that is. If it is possible, I could run any web server in the DMZ, I suppose.
My question would be: Is it possible to offload OWA to a web server in the DMZ without installing EXchange on the same server? Also, will Windows Server 2003, Web Edition work for OWA?
Question by:3v0luti0n
    LVL 3

    Accepted Solution

    bad news but there is no way to move OWA off of exchange any more!  You must buy 2 copies.  The good news is that in 2003 you can mix the products.  IE one enterprize and one standared for the front end.

    No Exchange can not be loaded on to web edtion.

    Check out thawte for SSL certificate at a great price.  Or just set up your own CA and let everyone get a warning if you are not doing e-business.

    LVL 104

    Expert Comment

    There are also no valid reasons for putting OWA in the DMZ. The number of holes required in the firewall make the firewall in to swiss cheese and a DMZ practically useless. You may as well just open 443 (https) and 25 (smtp) in to the Exchange straight from the Internet - it is a fairly safe solution as you have limited the ports that are open.

    While I would agree that purchasing an SSL certificate is a good idea, I wouldn't agree that Thawte is a "good price". Check out FreeSSL instead. I use them also exclusively for the implementations that I do without any problems.

    You want to avoid a popup error message as much as possible. The IT and security industry is constantly telling the regular users that they should be wary of popup error messages and verify that the site is what it claims to be. I don't want to tell anyone any kind of exception, as they will get used to it and may treat other sites the same. Inconsistent messages just make securing the Internet more difficult for the rest of us.

    LVL 3

    Expert Comment

    First off, thanks to you Simon for the FreeSSL tip.  19$ !!!!   I will try them out for service and most likly start recomending them to clients moving forward.

    I agree with Simon on the overall user/network impact of site security pop ups.

    However I do not agree with his statement on putting OWA in the DMZ.  There are many valid security issues for the front-end back-end solution.   Yes you need to open ports in your firewall about 10 in total but when configured correctly securty is increased.  

    Here is a link if you would like to read about it.

    I am not saying many people do not use a single exchange server exsposed to the world, but FE/BE is a more secure solution in addtion to more flexable and capable of greater proformance.

    LVL 104

    Expert Comment

    We shall have to agree to disagree on the DMZ status.

    I personally like to have as few ports as possible open in to the production network. Whether this is internet to production or DMZ to production. 10 ports is 8 too many, and requires too many changes to the domain configuration that I am unhappy with - locking ports down from their Dynamic settings. Most people who will do this will use the recommended ports in the MS KB article, further reducing the security.

    I do not think that a domain member belongs in the DMZ under ANY circumstances. While you can secure the ports open by locking it down to IP addresses etc in the firewall, that doesn't help if an attacker compromises the machine in the DMZ. They can walk straight in to your production network. Not good. By limiting the ports open to just port 443 and 25 means that it is much more difficult for the network to be compromised.
    When MS Exchange edge services arrive I may adjust my opinion, if edge services don't require the server to be a member of a domain.

    If you want to put something in between the Internet and production for email (not OWA) then a Windows 2003 server locked down in a workgroup with SMTP installed makes and excellent relay machine. I have deployed a couple of those with great success. HTTPS still needs to come in direct due to the AD integration.

    The Exchange 2003 version of that article can be found here:
    Although naturally MS also recommend using ISA Server, but I think the least we say about that the better.

    LVL 3

    Expert Comment

    I had the 2000 version on my laptop already...  

    So in all I hope we answered your question there evolution.  

    If your are tight on cash go with a single exchange box and a stronger firewall.  Or just a correctly configured firewall.  

    The reality is the even Microsoft and Cisco get hacked now and again.  If you are working at the NSA or FBI good luck, if you are at "ABC we make stuff" chances are you are not on anyones target list.

    In addtion you can alway phase in 1 or many front end server down the road depending on your needs.

    There are also great examples provided in the documents above to help you finsh up a design.



    Author Comment

    It was a hard decision on the who's answer to accept. If I could, I would have given both of you 500 points. Simon, Thanks for the tip for SSL. Yes, I have considered both situations and both of you do have valid arguments (however I could not figure out the Web Server/OWA quest. THANKS!!!). I wanted to confirm that there was not something I was missing that would make one or the other the most secure. I too fret about having a domain member in the DMZ, but on the other hand, I am a bit concerned about opening up a direct path to the LAN, eventhough it is just 443 & 25. I am a strong believer in that "where there is a will there is a way", reguardless of which ports are closed or open. I had not considered the Enterprise and the Standard mixture. Good thinking. I am still unsure of which way I will go. It sounds like (FE/BE) is going to be more expensive, but it would eliminate the straight path to the network.  However, just opening up 2 ports to the LAN sounds a lot more attractive. maybe I will just flip a coin.
    Thanks again gentilemen,


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Learn The Basics of Ethical Hacking & Pen Testing

    Computer and network security is one of the fastest growing and most essential industries in technology, meaning companies will pay big bucks for ethical hackers. This is the perfect course to leap into this lucrative career, learning how to use ethical hacking to reveal ...

    It is a known fact that servers reach the end of their lives. Some get there quicker than others, based on age, manufacturer, usage and several other factors. However, if your organization has spent time deploying Microsoft's Active Directory server…
    by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
    This video discusses moving either the default database or any database to a new volume.

    846 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now