OWA in DMZ Windows Server 2003, Web Edition

Looking for somewhere to start. I am planning on Implementing an Exchange 2003 solution. I have requirements to secure OWA for internet users to access thier e-mail. I am trying to get away from purchasing two licenses for Exchange 2003 (front-end/back-end config.). My thoughts are to off load OWA to a server in a DMZ. I am not sure if this is possible without installing Exchange on that box too, that is. If it is possible, I could run any web server in the DMZ, I suppose.
My question would be: Is it possible to offload OWA to a web server in the DMZ without installing EXchange on the same server? Also, will Windows Server 2003, Web Edition work for OWA?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bad news but there is no way to move OWA off of exchange any more!  You must buy 2 copies.  The good news is that in 2003 you can mix the products.  IE one enterprize and one standared for the front end.

No Exchange can not be loaded on to web edtion.

Check out thawte for SSL certificate at a great price.  Or just set up your own CA and let everyone get a warning if you are not doing e-business.  http://www.thawte.com/


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
There are also no valid reasons for putting OWA in the DMZ. The number of holes required in the firewall make the firewall in to swiss cheese and a DMZ practically useless. You may as well just open 443 (https) and 25 (smtp) in to the Exchange straight from the Internet - it is a fairly safe solution as you have limited the ports that are open.

While I would agree that purchasing an SSL certificate is a good idea, I wouldn't agree that Thawte is a "good price". Check out FreeSSL instead. I use them also exclusively for the implementations that I do without any problems.

You want to avoid a popup error message as much as possible. The IT and security industry is constantly telling the regular users that they should be wary of popup error messages and verify that the site is what it claims to be. I don't want to tell anyone any kind of exception, as they will get used to it and may treat other sites the same. Inconsistent messages just make securing the Internet more difficult for the rest of us.

First off, thanks to you Simon for the FreeSSL tip.  19$ !!!!   I will try them out for service and most likly start recomending them to clients moving forward.

I agree with Simon on the overall user/network impact of site security pop ups.

However I do not agree with his statement on putting OWA in the DMZ.  There are many valid security issues for the front-end back-end solution.   Yes you need to open ports in your firewall about 10 in total but when configured correctly securty is increased.  

Here is a link if you would like to read about it.

I am not saying many people do not use a single exchange server exsposed to the world, but FE/BE is a more secure solution in addtion to more flexable and capable of greater proformance.


Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

We shall have to agree to disagree on the DMZ status.

I personally like to have as few ports as possible open in to the production network. Whether this is internet to production or DMZ to production. 10 ports is 8 too many, and requires too many changes to the domain configuration that I am unhappy with - locking ports down from their Dynamic settings. Most people who will do this will use the recommended ports in the MS KB article, further reducing the security.

I do not think that a domain member belongs in the DMZ under ANY circumstances. While you can secure the ports open by locking it down to IP addresses etc in the firewall, that doesn't help if an attacker compromises the machine in the DMZ. They can walk straight in to your production network. Not good. By limiting the ports open to just port 443 and 25 means that it is much more difficult for the network to be compromised.
When MS Exchange edge services arrive I may adjust my opinion, if edge services don't require the server to be a member of a domain.

If you want to put something in between the Internet and production for email (not OWA) then a Windows 2003 server locked down in a workgroup with SMTP installed makes and excellent relay machine. I have deployed a couple of those with great success. HTTPS still needs to come in direct due to the AD integration.

The Exchange 2003 version of that article can be found here: http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/febetop.mspx
Although naturally MS also recommend using ISA Server, but I think the least we say about that the better.

I had the 2000 version on my laptop already...  

So in all I hope we answered your question there evolution.  

If your are tight on cash go with a single exchange box and a stronger firewall.  Or just a correctly configured firewall.  

The reality is the even Microsoft and Cisco get hacked now and again.  If you are working at the NSA or FBI good luck, if you are at "ABC we make stuff" chances are you are not on anyones target list.

In addtion you can alway phase in 1 or many front end server down the road depending on your needs.

There are also great examples provided in the documents above to help you finsh up a design.


3v0luti0nAuthor Commented:
It was a hard decision on the who's answer to accept. If I could, I would have given both of you 500 points. Simon, Thanks for the tip for SSL. Yes, I have considered both situations and both of you do have valid arguments (however I could not figure out the Web Server/OWA quest. THANKS!!!). I wanted to confirm that there was not something I was missing that would make one or the other the most secure. I too fret about having a domain member in the DMZ, but on the other hand, I am a bit concerned about opening up a direct path to the LAN, eventhough it is just 443 & 25. I am a strong believer in that "where there is a will there is a way", reguardless of which ports are closed or open. I had not considered the Enterprise and the Standard mixture. Good thinking. I am still unsure of which way I will go. It sounds like (FE/BE) is going to be more expensive, but it would eliminate the straight path to the network.  However, just opening up 2 ports to the LAN sounds a lot more attractive. maybe I will just flip a coin.
Thanks again gentilemen,

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.