I guess that was part of my point. Granted I don't know the rule set in this PIX, but I do know the PIX. The standard talk is that the only way to protect X is to place it behind the PIX. But what is it doing in this case, it opens a door up to the exchange server. But what is the traffic going through that door? Does the PIX really know? The last time I checked all the PIX did was say you are packet X, on Port Y and you want to go to address Z. Hey I have a rule for that, come on down you're the next contestant on go right to my server please. How many of us know how to manipulate a port 80 request, and if it's 443 that's even better, it just an encrypted manipulation.
By putting this behind an application firewall (I only used ISA as it has forms just for this type of thing) the actual packet is inspected, and you have the added advantage of knowing that the visiting guest never actually communicates with your Exchange FE Server. With ISA that OWA Session is terminated at the firewall, and the data is requested by using a separate (we hope secure!) session to the Exchange Server. All the data is returned to the user via populated forms. I am not trying to get into a bash the PIX conversation, I use them, and for what they do, they do it well. I do think however we are misleading ourselves if we think that by putting a NAT rule in our PIX for access to our exchange server for OWA access that we are going to be protected. You can accomplish the same thing at your internet facing router. Just my thought process on this. Sense the original poster said this was for there new Exchange 2003 Server, I would suggest taking a look at www.isaserver.org they have an entire area on putting OWA up behind an ISA Server. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Posted At: Tuesday, November 08, 2005 12:12 PM Posted To: Exchange-List Conversation: OWA redirect Subject: RE: OWA redirect All the PIX does is NAT the address and possibly change your port request from 80 to 443. But if all you are using ISA for is scanning your OWA requests I would argue that it is not a cost effective option. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Waters, Jeff Sent: Tuesday, November 08, 2005 11:08 AM To: Exchange Discussions Subject: RE: OWA redirect We setup a ISA Server with forms authentication and put it beside our PIX, what good does the PIX really do for this type of deployment. Ya, we had fun running that up the flag pole, but by far the ISA-FE-BE setup is the best way to go. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Woods Posted At: Tuesday, November 08, 2005 10:36 AM Posted To: Exchange-List Conversation: OWA redirect Subject: OWA redirect Hi, We've got a PIX with an outside IP pointing into one of the two new Exchange 2003 servers. Users on this server can use the new OWA from the outside. My mailbox resides on the other 2003 exchange server but it won't re-direct for me. I just get page cannot be found. Any quick thoughts? Thanks, Tony This message is intended only for the named recipient(s) above and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and destroy this message. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
