Gavin Tech
asked on
How do I implement OWA on my company network?
My firm has 150 employees which I need to give access to email via OWA.
I am currently running 1 x Exchange 2003 Standard Server (backend server).
I have purchased a pc with a quad core processor and 4gb of ram to serve as my frontend server.
I want to also put in an ISA server for security as we are an investment firm dealing with highly confidential information.
What do I need to install on the frontend server so it can relay messages?
If an ISA server is in place do I still need to set up SSL encryption?
Will the ISA server have to be installed on the DMZ zone or internal network?
What else will be effected with an ISA server in place eg internet? As I understand the ISA server acts as a firewall which will open and close ports as and when needed.
I am currently running 1 x Exchange 2003 Standard Server (backend server).
I have purchased a pc with a quad core processor and 4gb of ram to serve as my frontend server.
I want to also put in an ISA server for security as we are an investment firm dealing with highly confidential information.
What do I need to install on the frontend server so it can relay messages?
If an ISA server is in place do I still need to set up SSL encryption?
Will the ISA server have to be installed on the DMZ zone or internal network?
What else will be effected with an ISA server in place eg internet? As I understand the ISA server acts as a firewall which will open and close ports as and when needed.
ASKER
Am I correct in saying that it is ok to put the ISA server in the DMZ as long as it is not joined to the domain?
If this is done should I put the front and backend servers on the internal domain network.
Do I have to have a frontend server or will an ISA and backend be secure enough?
If this is done should I put the front and backend servers on the internal domain network.
Do I have to have a frontend server or will an ISA and backend be secure enough?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am using Exchange 2003.
Are you saying that using a ISA server and a backend server is all that is needed?
Will the network be secure if the ISA server is not in the DMZ?
Are you saying that using a ISA server and a backend server is all that is needed?
Will the network be secure if the ISA server is not in the DMZ?
All I am saying is that I personally do not see any REAL additional security in placing the front end in DMZ. Why? because the front end will need a LOT of communication channels to your LAN, so you would need to open many many ports between the DMZ and the LAN, and that leaves you a lot less secure than you would think.
The attack surface a hacker has is the same as when it's not in a DMZ (hack IIS> get user account info > execute code on the OWA server > into the network)
Configuring a DMZ would cost you an additional 4 to 8 hours of work at least. For something that only looks good on paper in a network diagram.
Time that is better invested in locking down the OWA server with all OS and application updates, security policy, anti-virus and local firewall.
I'd like to add that NO system is ever 100% secure.
The attack surface a hacker has is the same as when it's not in a DMZ (hack IIS> get user account info > execute code on the OWA server > into the network)
Configuring a DMZ would cost you an additional 4 to 8 hours of work at least. For something that only looks good on paper in a network diagram.
Time that is better invested in locking down the OWA server with all OS and application updates, security policy, anti-virus and local firewall.
I'd like to add that NO system is ever 100% secure.
If you DO want to go for a DMZ setup, here is a good article, which lists all the ports you need to open between the LAN and DMZ:
http://www.isaserver.org/articles/2004dmzfebe.html
http://www.isaserver.org/articles/2004dmzfebe.html
2. SSL: yes you should at least configure the Listener in ISA to only accept SSL (and therefore import a valid certificate in the ISA server itself). Preferably, also configure the connection between ISA and OWA to be encrypted (this is called "SSL Bridge")
3. DMZ/internal: depends... if your ISA is not multihomed and not member of the domain it might be more secure to place it in DMZ. If it is member of the domain, you would need to open so many ports from the DMZ to the LAN that most security advantages are broken down anyway. Personally, I think the DMZ concept is obsolete for these type of configurations.
4. Yes ISA is a very advanced firewall. You can use it as a secure door between your LAN and the Internet, and you create rules to allow or block specific traffic. I'm not sure what info you are specifically looking for with your question...