Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


OWA in DMZ Windows Server 2003, Web Edition

Posted on 2004-10-25
Medium Priority
Last Modified: 2010-04-19
Looking for somewhere to start. I am planning on Implementing an Exchange 2003 solution. I have requirements to secure OWA for internet users to access thier e-mail. I am trying to get away from purchasing two licenses for Exchange 2003 (front-end/back-end config.). My thoughts are to off load OWA to a server in a DMZ. I am not sure if this is possible without installing Exchange on that box too, that is. If it is possible, I could run any web server in the DMZ, I suppose.
My question would be: Is it possible to offload OWA to a web server in the DMZ without installing EXchange on the same server? Also, will Windows Server 2003, Web Edition work for OWA?
Question by:3v0luti0n
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Accepted Solution

kelo501 earned 2000 total points
ID: 12403786
bad news but there is no way to move OWA off of exchange any more!  You must buy 2 copies.  The good news is that in 2003 you can mix the products.  IE one enterprize and one standared for the front end.

No Exchange can not be loaded on to web edtion.

Check out thawte for SSL certificate at a great price.  Or just set up your own CA and let everyone get a warning if you are not doing e-business.  http://www.thawte.com/

LVL 104

Expert Comment

ID: 12406098
There are also no valid reasons for putting OWA in the DMZ. The number of holes required in the firewall make the firewall in to swiss cheese and a DMZ practically useless. You may as well just open 443 (https) and 25 (smtp) in to the Exchange straight from the Internet - it is a fairly safe solution as you have limited the ports that are open.

While I would agree that purchasing an SSL certificate is a good idea, I wouldn't agree that Thawte is a "good price". Check out FreeSSL instead. I use them also exclusively for the implementations that I do without any problems.

You want to avoid a popup error message as much as possible. The IT and security industry is constantly telling the regular users that they should be wary of popup error messages and verify that the site is what it claims to be. I don't want to tell anyone any kind of exception, as they will get used to it and may treat other sites the same. Inconsistent messages just make securing the Internet more difficult for the rest of us.


Expert Comment

ID: 12406203
First off, thanks to you Simon for the FreeSSL tip.  19$ !!!!   I will try them out for service and most likly start recomending them to clients moving forward.

I agree with Simon on the overall user/network impact of site security pop ups.

However I do not agree with his statement on putting OWA in the DMZ.  There are many valid security issues for the front-end back-end solution.   Yes you need to open ports in your firewall about 10 in total but when configured correctly securty is increased.  

Here is a link if you would like to read about it.

I am not saying many people do not use a single exchange server exsposed to the world, but FE/BE is a more secure solution in addtion to more flexable and capable of greater proformance.


Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

LVL 104

Expert Comment

ID: 12406296
We shall have to agree to disagree on the DMZ status.

I personally like to have as few ports as possible open in to the production network. Whether this is internet to production or DMZ to production. 10 ports is 8 too many, and requires too many changes to the domain configuration that I am unhappy with - locking ports down from their Dynamic settings. Most people who will do this will use the recommended ports in the MS KB article, further reducing the security.

I do not think that a domain member belongs in the DMZ under ANY circumstances. While you can secure the ports open by locking it down to IP addresses etc in the firewall, that doesn't help if an attacker compromises the machine in the DMZ. They can walk straight in to your production network. Not good. By limiting the ports open to just port 443 and 25 means that it is much more difficult for the network to be compromised.
When MS Exchange edge services arrive I may adjust my opinion, if edge services don't require the server to be a member of a domain.

If you want to put something in between the Internet and production for email (not OWA) then a Windows 2003 server locked down in a workgroup with SMTP installed makes and excellent relay machine. I have deployed a couple of those with great success. HTTPS still needs to come in direct due to the AD integration.

The Exchange 2003 version of that article can be found here: http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/febetop.mspx
Although naturally MS also recommend using ISA Server, but I think the least we say about that the better.


Expert Comment

ID: 12406363
I had the 2000 version on my laptop already...  

So in all I hope we answered your question there evolution.  

If your are tight on cash go with a single exchange box and a stronger firewall.  Or just a correctly configured firewall.  

The reality is the even Microsoft and Cisco get hacked now and again.  If you are working at the NSA or FBI good luck, if you are at "ABC we make stuff" chances are you are not on anyones target list.

In addtion you can alway phase in 1 or many front end server down the road depending on your needs.

There are also great examples provided in the documents above to help you finsh up a design.



Author Comment

ID: 12412464
It was a hard decision on the who's answer to accept. If I could, I would have given both of you 500 points. Simon, Thanks for the tip for SSL. Yes, I have considered both situations and both of you do have valid arguments (however I could not figure out the Web Server/OWA quest. THANKS!!!). I wanted to confirm that there was not something I was missing that would make one or the other the most secure. I too fret about having a domain member in the DMZ, but on the other hand, I am a bit concerned about opening up a direct path to the LAN, eventhough it is just 443 & 25. I am a strong believer in that "where there is a will there is a way", reguardless of which ports are closed or open. I had not considered the Enterprise and the Standard mixture. Good thinking. I am still unsure of which way I will go. It sounds like (FE/BE) is going to be more expensive, but it would eliminate the straight path to the network.  However, just opening up 2 ports to the LAN sounds a lot more attractive. maybe I will just flip a coin.
Thanks again gentilemen,


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Learn about cloud computing and its benefits for small business owners.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question