How do I implement OWA on my company network?

My firm has 150 employees which I need to give access to email via OWA.
I am currently running 1 x Exchange 2003 Standard Server (backend server).
I have purchased a pc with a quad core processor and 4gb of ram to serve as my frontend server.
I want to also put in an ISA server for security as we are an investment firm dealing with highly confidential information.

What do I need to install on the frontend server so it can relay messages?
If an ISA server is in place do I still need to set up SSL encryption?
Will the ISA server have to be installed on the DMZ zone or internal network?
What else will be effected with an ISA server in place eg internet? As I understand the ISA server acts as a firewall which will open and close ports as and when needed.
gpersandAsked:
Who is Participating?
 
Redwulf__53Connect With a Mentor Commented:
I may be shot down for this, but in my opinion a DMZ is not quite necessery, especially with Exchange 2003 it becomes overly complex without much added security, if the publishing is done with ISA. In that case, using a Front End server is only to offload the required performance from the Mailbox server.
In Exchange 2007, it is possible to implement a secure Front End (called Edge Transport server) that can easily be placed in a DMZ. Even if that machine is compromized, it won't open up the LAN for the hacker as it has no authentication crossover to the Exchange production environment (separated Directory services). In Exchange 2003, if the front end server is domain member, hacking that machine will open a path into the LAN because authentication is open to the Back End.
Hope this makes sense.

0
 
Redwulf__53Commented:
1. Relay: As long as your Frontend server will only function as OWA server (IIS) it is not actually relaying messages, so no additional configuration required.
2. SSL: yes you should at least configure the Listener in ISA to only accept SSL (and therefore import a valid certificate in the ISA server itself). Preferably, also configure the connection between ISA and OWA to be encrypted (this is called "SSL Bridge")
3. DMZ/internal: depends... if your ISA is not multihomed and not member of the domain it might be more secure to place it in DMZ. If it is member of the domain, you would need to open so many ports from the DMZ to the LAN that most security advantages are broken down anyway. Personally, I think the DMZ concept is obsolete for these type of configurations.
4. Yes ISA is a very advanced firewall. You can use it as a secure door between your LAN and the Internet, and you create rules to allow or block specific traffic. I'm not sure what info you are specifically looking for with your question...
0
 
gpersandAuthor Commented:
Am I correct in saying that it is ok to put the ISA server in the DMZ as long as it is not joined to the domain?

If this is done should I put the front and backend servers on the internal domain network.

Do I have to have a frontend server or will an ISA and backend be secure enough?
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
gpersandAuthor Commented:
I am using Exchange 2003.
Are you saying that using a ISA server and a backend server is all that is needed?
Will the network be secure if the ISA server is not in the DMZ?  
0
 
Redwulf__53Commented:
All I am saying is that I personally do not see any REAL additional security in placing the front end in DMZ. Why? because the front end will need a LOT of communication channels to your LAN, so you would need to open many many ports between the DMZ and the LAN, and that leaves you a lot less secure than you would think.

The attack surface a hacker has is the same as when it's not in a DMZ (hack IIS> get user account info > execute code on the OWA server > into the network)

Configuring a DMZ would cost you an additional 4 to 8 hours of work at least. For something that only looks good on paper in a network diagram.

Time that is better invested in locking down the OWA server with all OS and application updates, security policy, anti-virus and local firewall.

I'd like to add that NO system is ever 100% secure.


0
 
Redwulf__53Commented:
If you DO want to go for a DMZ setup, here is a good article, which lists all the ports you need to open between the LAN and DMZ:

http://www.isaserver.org/articles/2004dmzfebe.html

0
All Courses

From novice to tech pro — start learning today.