• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 287
  • Last Modified:

OWA in DMZ Recommendation

We are preparing to deploy OWA 2003 for our organization and would like a recommendation on the following two scenarios.

Option 1
Internet -- Firewall -- OWA -- Firewall -- Back End Exchange

Option 2
Internet -- Firewall -- ISA 2006 -- OWA -- Back End Exchange
In this option the ISA is a member of our domain.

Please explain you reasons for either option.
2 Solutions
Keith AlabasterCommented:
Second option everytime.

reasons? Where to start....
1. Best Practice states that ISA will be a member of the domain.
2. ISA as a domain member means you are not having to open additiona ports through the firewall - ISA will deal with this aspect.
3. No faffing about trying to get ad coneectivity for securing against AD groups - especially useful if you want reporting against usernames rather than just IP addresses.
4. ISA with dual nics means you get access control in either direction from layer 3 right the eay through to layer 7 over all protocols, not just proxy-orientated traffic.
5. If you use ISA as a VPN header, for the same reasons as above
the list goes on ....
2nd option would be better as OWA server is not recommended to be in DMZ.
If that server is in DMZ for OWA to work u have to open the ports required http, https, Dns, GC., so no point of putting the server in DMZ when you are opening so many ports.
Microsoft also does not recommend OWA to be in DMZ

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now