We help IT Professionals succeed at work.

How can I deploy an OWA access server in DMZ?

vijitc asked
We have Windows 2003 servers in both private zone and DMZ. Two zones are in different network subnet and linked with a Unix firewall/VPN. DC, file servers, MS Exchange (one of DCs), DB servers are in private zone and web servers are in DMZ.
I'd like to setup OWA access server in DMZ because we only locate servers which accessed by outside in DMZ. I need to install MS Exchange 2003 on a Windows 2003 box in DMZ to get OWA working on that. I have couple questions here:

1) Is this Exchange 2003 server only provides OWA service considered a Front-End Exchange server?
2) Exchange 2003 server should be installed on a member of Domain. Is that safe to have a Domain member server in DMZ?
3) I read some tech articles and strongly suggest never put Exchange server in DMZ. If yes, how and where can I deploy OWA?
4) Any special rules I have to set on firewall?

Thanks a lot!!!
Watch Question

I would discourage you from putting a domain server in the DMZ, and there's not really a need to run your OWA in the DMZ. I would suggest running your OWA server on the inside of your network and using an SSL vpn to access it. This can be configured via Cisco ASA or VPN Concentrator. I'm sure there are other devices that will do this as well, but I'm most familiar with Cisco products. Here's an article on SSL VPN using the Cisco ASA.
I would agree with stuknhawaii, refrain from putting this in the DMZ.  It is easy to set up OWA.  Set up a second exchange server the same way you set up any exchanger server.  Choose the option to have the new server as front end and old server as back end.  

In the exchange system manager of the new (OWA) server go to system manager, servers, pick the new server(OWA).  Right click on the server and you should see the option to make this the front end.

Make sure that on the new (OWA) server you have iis installed.  i would also suggest using SSL connection for the OWA server and then just open the firewall to that ip address on port 443 only and make sure you have an public ip address to Nat this box to.

I always stayed away from OWA since i thought it would be dificult, but it was easy.

I was up against the same delema.  What I did was ...

1. Get a external ip address & dns "a" record assigned (i.e. webmail.domain.com).
2. Add external ip address to firewall and allow ports 80 & 443 to forward to Exchange server.
3. Create CSR for 3rd party ssl cert for webmail.domain.com. recommend entrust.
4. Configure Exchange for activesync.
5. Install ssl cert on website, once available from entrust (takes around 24-48 hours after CSR).
6. Test owa and activesync.

If you already have an IP configured to your current firewall, then you can add what i call a virtual IP on the OUTSIDE interface and only allow 443 / 80 traffice to route to the Exchange server IP...the SSL cert will secure the rest...make sure you get your cert from a cert vendor who is comliant with Microsoft.

If you use a PIX try this...

access-list INBOUND permit tcp any host "Primary Outside Interface IP" eq smtp
access-list INBOUND permit tcp any host "Primary Outside Interface IP" eq https
access-list INBOUND permit tcp any host "Primary Outside Interface IP"eq 4444
access-list INBOUND permit tcp any host "Virtual IP" eq 80
access-list INBOUND permit tcp any host "Virtual IP" eq 443
access-list INBOUND permit icmp any any

static (inside,outside) "Virtual IP" "Exchange Server IP" netmask

This should do the trick.  You will then need to update your DNS to add webmail.domain.com to point to the virtual IP.

Hope this helps!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.