How do I implement OWA on my company network?

My firm has 150 employees which I need to give access to email via OWA.
I am currently running 1 x Exchange 2003 Standard Server (backend server).
I have purchased a pc with a quad core processor and 4gb of ram to serve as my frontend server.
I want to also put in an ISA server for security as we are an investment firm dealing with highly confidential information.

What do I need to install on the frontend server so it can relay messages?
If an ISA server is in place do I still need to set up SSL encryption?
Will the ISA server have to be installed on the DMZ zone or internal network?
What else will be effected with an ISA server in place eg internet? As I understand the ISA server acts as a firewall which will open and close ports as and when needed.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1. Relay: As long as your Frontend server will only function as OWA server (IIS) it is not actually relaying messages, so no additional configuration required.
2. SSL: yes you should at least configure the Listener in ISA to only accept SSL (and therefore import a valid certificate in the ISA server itself). Preferably, also configure the connection between ISA and OWA to be encrypted (this is called "SSL Bridge")
3. DMZ/internal: depends... if your ISA is not multihomed and not member of the domain it might be more secure to place it in DMZ. If it is member of the domain, you would need to open so many ports from the DMZ to the LAN that most security advantages are broken down anyway. Personally, I think the DMZ concept is obsolete for these type of configurations.
4. Yes ISA is a very advanced firewall. You can use it as a secure door between your LAN and the Internet, and you create rules to allow or block specific traffic. I'm not sure what info you are specifically looking for with your question...
gpersandAuthor Commented:
Am I correct in saying that it is ok to put the ISA server in the DMZ as long as it is not joined to the domain?

If this is done should I put the front and backend servers on the internal domain network.

Do I have to have a frontend server or will an ISA and backend be secure enough?
I may be shot down for this, but in my opinion a DMZ is not quite necessery, especially with Exchange 2003 it becomes overly complex without much added security, if the publishing is done with ISA. In that case, using a Front End server is only to offload the required performance from the Mailbox server.
In Exchange 2007, it is possible to implement a secure Front End (called Edge Transport server) that can easily be placed in a DMZ. Even if that machine is compromized, it won't open up the LAN for the hacker as it has no authentication crossover to the Exchange production environment (separated Directory services). In Exchange 2003, if the front end server is domain member, hacking that machine will open a path into the LAN because authentication is open to the Back End.
Hope this makes sense.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

gpersandAuthor Commented:
I am using Exchange 2003.
Are you saying that using a ISA server and a backend server is all that is needed?
Will the network be secure if the ISA server is not in the DMZ?  
All I am saying is that I personally do not see any REAL additional security in placing the front end in DMZ. Why? because the front end will need a LOT of communication channels to your LAN, so you would need to open many many ports between the DMZ and the LAN, and that leaves you a lot less secure than you would think.

The attack surface a hacker has is the same as when it's not in a DMZ (hack IIS> get user account info > execute code on the OWA server > into the network)

Configuring a DMZ would cost you an additional 4 to 8 hours of work at least. For something that only looks good on paper in a network diagram.

Time that is better invested in locking down the OWA server with all OS and application updates, security policy, anti-virus and local firewall.

I'd like to add that NO system is ever 100% secure.

If you DO want to go for a DMZ setup, here is a good article, which lists all the ports you need to open between the LAN and DMZ:

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.