More an aversion to using something (POP/IMAP) with passwords in clear text and since Outlook doesn't support APOP we have to go over SSL. Having said all that, I have to do HTTP over SSL with OWA and a front-end/back-end topology anyway ... so I'll just get my coat :)
Mylo -----Original Message----- From: William Lefkovics [mailto:[EMAIL PROTECTED]] Sent: 19 March 2002 01:36 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K Why? What's wrong with POP/IMAP? IMAP4 over SSL for example. Why would you rather give them Hotmail? William -----Original Message----- From: Myles, Damian [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 7:38 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K I'd be happier giving them a hotmail account than POP/IMAP.. -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: 18 March 2002 16:35 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K Let's see - OWA = SSL POP/IMAP = doesn't happen on my network, but it it did, it would only be via VPN ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Peregrine Systems Atlanta, GA > -----Original Message----- > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:48 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > How do you guys secure exchange with OWA and POP/IMAP if you > don't put it in a DMZ? > > > Matt > -----Original Message----- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:44 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > There should be a rotating tag line appended to each message; > > "Exchange doesn't belong in the DMZ" > "PST=BAD" > "BLB=BAD" > > Etc > > -----Original Message----- > From: missy koslosky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:22 AM > To: Exchange Discussions > Subject: Re: Front-End/Back-End Topology - Ex2K > > > Go with your instincts. Keep it out of the DMZ. > > There's lots of history on this in the archives of this list. > > Missy > ----- Original Message ----- > From: "Myles, Damian" <[EMAIL PROTECTED]> > To: "Exchange Discussions" <[EMAIL PROTECTED]> > Sent: Monday, March 18, 2002 7:47 AM > Subject: Front-End/Back-End Topology - Ex2K > > > Posted this on the ISA forums a few days ago, but thought it > might be an idea to post for discussion. > > A while back I tested a FE/BE topology with the FE server > sitting on or DMZ, opening numerous ports on our interior > firewall to allow AD/GC lookups through etc. Now it comes to > actual putting these fruits of labour into practice in a > production environment, I'm far from convinced of the > rationale of placing a FE server on a DMZ, given the security > implications of doing so with regards the numerous open > ports. I'm more inclined to allow to publish the front-end > server (on our LAN) and allow remote users to connect through > HTTPS, secured behind ISA, acknowledging there is always a > risk putting Internet-accessed resources on a production LAN. > > Since this is a back-to-back firewall, the following ports > would need to be opened > > Exterior Firewall > ----------------- > 443/TCP HTTPS > 25/TCP SMTP > 993/TCP IMAPS > > Interior Firewall > ----------------- > 80/TCP HTTP > 143/TCP IMAP > 25/TCP SMTP > 389/TCP LDAP > 389/UDP LDAP > 3268/TCP > 88/TCP KERBEROS > 88/UDP KERBEROS > 53/TCP DNS > 53/UDP DNS > 135/TCP RPC > 445/TCP NETLOGON > > I know a lot of the above can be secured over SSL and RPC > limited to a single port (rather than anything above 1024), > and that I can tunnel HTTP through IPSEC or VPN. However, > since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. > > Would appreciate any feedback on this and to find out what > the general consensus of opinion is? > > Regards > Mylo > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
