I currently do something similar to the second option, using squid proxy rather than mod_proxy. The squid box acts as an ssl accelerator, passing only unencrypted traffic from the DMZ to the internal network. It also does URL filtering for the common exploits.
Roger ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Darin [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 09, 2002 7:24 PM > To: Exchange Discussions > Subject: DMZ Options > > > We are on in the process of planning an exchange migration > from GroupWise. > We are looking at how the Front-End Design is going to be > regarding OWA. > I have read the Front-End Server Whitepaper and it appears > that the best > way is to have Users establish an SSL connection to a > Front-End Server in > a DMZ having only port 443 open on the Inter Fireall, then have IPSEC > tunnel between the Front and Back-End Server having ports > 51,50, 500/UDP > and 88TCP/UDP open on the Intra Firewall. > > Another administrator had the idea of putting both Front and Back End > Servers on the Internal Network and instead putting in an > apache server in > the DMZ and have the user create an SSL connection to the > Apache Server, > and then have that Server do a mod-proxy SSL connection to > the Front-End > Server. Therefore only having port 443 open on the Inter and Intra > Firewall. > > Is this a better design in regards to security? > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
