?
Solved

OWA in Exchange 2007 - is this secure enough?

Posted on 2008-02-11
18
Medium Priority
?
303 Views
Last Modified: 2012-06-27
I have been researching the best/cost effective/secure way to implement OWA and have come to the conclusion that installing Exchange 2007 and using a secure frontend (Edge transport) server will be my best option.

Will this method be secure enough and why?
Where should the frontend server sit eg internal network or DMZ? (why?)
0
Comment
Question by:gpersand
  • 8
  • 6
  • 3
  • +1
18 Comments
 
LVL 6

Expert Comment

by:Spot_The_Cat
ID: 20866177
It should sit in the DMZ or perimeter network.

Best to switch off http and just use https as all traffice will be encryted - should stop man in the middle attacks. If you're particularly worried about security you could implement third party authentication like RSA tokens. You can also go further but the more you tie down the security the less functional it becomes.

Hope that helps.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20866206
The Edge Transport server isn't the same as the older E2003 FE server.  You can't use it to access OWA - it is an SMTP transport only.  You would need to install a CAS server in your DMZ, but that isn't officially supported.
0
 

Author Comment

by:gpersand
ID: 20866223
Im confused now. How many servers do I need?
What is a CAS server?
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20866271
You can have everything (i.e. all roles) on one server, if that is sufficient for your requirements.  The CAS role is the Client Access Server role.  An Edge server is optional, and requires its own server.
0
 

Author Comment

by:gpersand
ID: 20866451
Is it secure to have the F-end server in the DMZ and the CAS on the B-end exchange server ?
0
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 20866561
There is no F-end server for ex2007 (as LeeDerbyshire already mentioned) only the Edge Transport. MS recommends placing this in a DMZ. It only takes care of SMTP: (optional) antivirus and anti-spam. You will need to publish port 443 from the internet to a CAS server on the LAN... the most secure way to do this at the moment is through an Microsoft ISA server as this firewall product does the most thorough checking of the traffic: the user Logon takes place in the ISA server, so only HTTP(s) traffic of already authenticated users is allowed to be forwarded to the LAN.
 
0
 

Author Comment

by:gpersand
ID: 20866596
I thought that using a HTTPS Edge Transport server was secure and NO ISA server would be needed?
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20866639
Note that the Edge Tranport server has nothing to do with OWA (I think that this is what you were originally asking about).  Some people put a CAS server in a DMZ, in an equivalent role to the old FE server.  This means that lots of ports then need to be opened up at the firewall.  This, plus the fact that it's unsupported, would be enough to dissuade me from doing it.  Your cheapest option is to pass port 443 (for SSL) into your existing server.  I would suggest that this is adequate for most small companies, since I don't believe there are any current IIS/SSL exploits out there.  Your most secure option (but obviously more expensive) is to add the aforementioned ISA server.
0
 

Author Comment

by:gpersand
ID: 20873653
Sorry for being dumb but I have a few more questions to clarify the information above.

What do I need to make this work securely (how many servers?
I know I will need 1 exchange 2007 server. Is this the CAS as well?
What is the purpose of the CAS server?
As I understand I will need a Edge transport server. Where does this a sit?

Please make this simple as it is very confusing so far
eg dmz = edge transport, internal = cas, internal = exchange server  
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20873713
The CAS role takes care of client access, i.e. your users will connect Outlook to it, and use it for OWA.  In previous versions, it could be taken for granted that a single Exchange server could do this, as well as managing the Information store (now part of the Mailbox role), and handle mail flow (now part of the Hub Transport role).  MS have (perhaps confusingly) made it possible to separate all these roles into different servers, although the default installation choice will still put them all on one.  The Edge Transport isn't necessary, unless you want to prevent direct SMTP connections into your LAN.  It is just used to offload the tasks of virus scanning and spam blocking onto another server.  If you do have one, it is best placed in a DMZ.

Yes, it is confusing.  But most people just go for the single server setup.
0
 

Author Comment

by:gpersand
ID: 20873804
Please correct me if I am wrong:
1 x edge transport in DMZ (I would like to prevent direct smtp connections direct to the lan)
1 x CAS on lan (to help offload the stress on the exchage server)
1 x exchange server on the lan
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20873908
That is a certainly a possibility.  Since E2007 makes it easy to separate roles in this way, it's entirely up to you how you organize things.  When you run the E2007 setup, you just select which roles you want to install.
0
 

Author Comment

by:gpersand
ID: 20873924
I only have 150 users and the max connecting using OWA will be about 50.
My exchange server has 2 x 2ghz zeon quad core processors and 4gb of ram.

Will it be fine to put the CAS and the Exchange server on this spec pc?
0
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 2000 total points
ID: 20873942
Yes, I would say so.  Of course, it depends on many things, such as how big you are prepared to let your users' mailboxes grow over the coming years; but initially, I would say that it sounds okay.
0
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 20874830
NO it is NOT enough. We have rolled out a number of servers with 4GB, and you will notice BAD performance after a few months.
Microsoft recommendation (for JUST the mailbox role): 4GB + 50MB PER USER. So, unless you have zero users, you will always need more than 4GB. Aditionally, you need about 1 GB for the CAS role. So I now always recommend standard 8 GB for a mail server that has all roles.
0
 

Author Comment

by:gpersand
ID: 20874929
Our current Exchange 2003 server has 2 x 3.2ghz zeon dual core processors and 4gb of ram and works fine.
Will Exchange 2007 with the CAS be that much more stressful to the server?
Were the roll outs you did, using exchange 2007?
0
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 20875028
Yes. Like every new version of any Microsoft product, double the system requirements.
0
 

Author Comment

by:gpersand
ID: 20875050
Thanks Redwulf.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You finally migrated Public Folders to Office 365, decommissioned the Public Folder mailbox database and since then, when you send an email from on-premise to mail-enabled Public Folders, you get the following error: "Misconfigured public folder mai…
What is the biggest problem in managing an exchange environment today? It is the lack of backups, disaster recovery (DR) plan, testing of the DR plan or believing that it won’t happen to us.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question