Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2003 OWA over PIX 515

Posted on 2006-06-21
7
Medium Priority
?
364 Views
Last Modified: 2009-12-16
Hi

I need to provide OWA access to my roaming clients, they will be accessing published exchange probably a front-end server via a public network (via Internet). My exchange and ISA 2000 server is in "inside" interface of PIX 515, and using a TREND ISVW as my SMTP gateway which is in DMZ to forward all SMTP traffic to "inside" exchange server. But now all my roaming clients can not access WEBMAIL or OWA since there is no published server in our network. I was thinking having Front-End in "inside" network which will published over ISA, but our IT audit team is against to having connections to "inside" network. They are suggesting to use DMZ for WEB mail, but I am not convinced in their recommendation since there can loop poles as well. I hope exerts could help me in finding a solution to my requirement, as a option i can think of another web mail product but i was impressed with 2003 OWA interface. Please help me to find a proper solution without compromising security side of the network.

0
Comment
Question by:virajw2310
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 
LVL 4

Expert Comment

by:ganongj
ID: 16950755
virajw,

I had the same issue, I went with purchasing a certificate from Verisign and making OWA accessible through https.  This is port 443 with very secure communications.  Your audit team should see this as being ok.

Regards,

Jim
0
 
LVL 7

Expert Comment

by:cvanhoudt
ID: 16951258
What do they mean by the "DMZ for WEBMAIL"? If they suggest to put a frond-end Exchange server in your DMZ, ask them to explain why they think this setup is more secure than putting an ISA server on the DMZ, on which you publish your OWA?

Keep in mind that a frond-end Exchange server (as any ohther Exchange server) is a domain member server in your AD and that it therefore requires access to that same AD. This means opening up ports between DMZ and internal network.
Should you place an ISA (or other reverse proxy server) in the DMZ, you can use a stand alone machine (no access to AD required), which publishes your OWA website. The reverse proxy server will point you to the Exchange server (if there is only on) or to the front-end Exchange server on your internal network. I believe this is a better practice than placing an Exchange FE on your DMZ.
And like Jim suggest above, use SSL instead of basic HTTP (either using a commercial certificate or by issuing your own - depending on the needs and policies of your company).


Cheers,
Kris
0
 

Author Comment

by:virajw2310
ID: 16956313
Ganongj,

Thanks, but in your case where did you place your exchange and ISA? Even i would like to keep all servers inside network cos it will create more secure connection (I guess even we could filter our incoming traffic via ISA). And i would like to get some reference documents where i can refer before i do my installation.

Thanks
Viraj  
0
 

Author Comment

by:virajw2310
ID: 16956336
Kris

I do agree with your point, but what is your advise in running ISA in "inside" and publish the OWA allowing HTTPS or SSL. But i am not sure how you could do this setup? Please advise accordingly.

Thanks
Viraj
0
 
LVL 7

Accepted Solution

by:
cvanhoudt earned 2000 total points
ID: 16957789
Viraj,

I would keep the  Exchange servers on the internal network (back-end or front-end).
The reverse proxy server (ISA or whatever other kind) can be placed on the DMZ; you can publish our OWA website on that ISA. The OWA clients communicate with the server on the DMZ, which proxies request to the internal network. There is no direct traffic between the outside world and your internal network this way.

You can find more info here:
http://www.petri.co.il/publishing_owa_with_isa2004.htm
http://www.msexchange.org/tutorials/pubowa2003part1.html
http://www.msexchange.org/tutorials/pubowa2003part2.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;837354
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing.mspx

Cheers,
Kris
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question