You could set up IPSec tunnels between this server, the backend server, and the DCs. You could even limit those to only the ports necessary for it to function. Then you'd need to open the firewall for type 50 traffic (ESP IPSec), port 500 TCP for IKE (Key Exchange), and port 88 TCP for Kerberos.
Also, you can get a server certificate for the OWA server and lock it down to SSL only so usernames and passwords aren't passed over the internet in the clear. Yes, you only need port 80 to the backend server, you need more significant access to the DCs. You'll need to lock DS traffic to a specific high-number port -- there's a Q article on it. You iknow what, here's a list of resource articles: Exchange 2000 Outlook Web Access http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/exchange/exchange2000/deploy/confeat/e2kowa.asp Using Microsoft Exchange 2000 Front End Servers http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID= AFAD8426-572E-40F8-99DA-EB7198F374C4 XGEN: TCP/UDP Ports Used By Exchange 2000 Server http://support.microsoft.com/default.aspx?scid=kb;en-us;Q278339 Exchange 2000 in the Enterprise: Tips and tricks Part One Tim Mullen http://www.securityfocus.com/infocus/1654 Exchange 2000 in the Enterprise: Tips and tricks Part Two Tim Mullen http://www.securityfocus.com/infocus/1658 Exchange 2000 in the Enterprise: Tips and tricks Part Three Tim Mullen http://www.securityfocus.com/infocus/1668 Securing Exchange 2000, Part One Chris Weber http://www.securityfocus.com/infocus/1572 Securing Exchange 2000, Part Two Chris Weber http://www.securityfocus.com/infocus/1578 Securing IIS 5.0 SecurityFocus http://www.securityfocus.com/infocus/1312 XWEB: How to Make Outlook Web Access the Default Web Site http://support.microsoft.com/default.aspx?scid=kb;en-us;319878 Improve Windows Servers Security http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/tools/ChkList/wsrvSec.asp Windows 2000 Server Baseline Security Checklist http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/tools/chklist/w2ksvrcl.asp Secure Internet Information Services 5 Checklist Michael Howard http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/tools/chklist/iis5chk.asp Restricting Active Directory Traffic to a Single Port XADM: Known Issues and Fine tuning When you Use the IIS Lockdown Wizard in an Exchange 2000 Environment http://support.microsoft.com/?ID=309677 XCCC: Turning on SSL for Exchange 2000 Server Outlook Web Access http://support.microsoft.com/?ID=320291 Using VNC with SSH http://www.uk.research.att.com/vnc/sshvnc.html The Secure Shell Frequently Asked Questions http://www.employees.org/~satch/ssh/faq/ VPN with pre-Shared Keys http://networking.earthweb.com/netsecur/article.php/10952_913361_1 Cisco Pix Documentation http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/in dex.htm Cisco Pix Modification Instructions http://www.blueridgenetworks.com/SupportDocs/Cisco%20Pix.pdf -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Dubyn Sent: Friday, April 04, 2003 5:34 AM To: Exchange Discussions Subject: Aaaarrrrggghhhh - What ports for OWA through only 1 firewall (no DMZ) besides 80 Against my very loud protest, a customer insists on deploying OWA to users on the Internet with no security in place. They nixed a front end server, SSL, VPN solution or an ISA server. My question is, what port(s), other than port 80, do I need to open up on the firewall? This is Exchange 2000 SP3, fully patched. I've looked through KB article #278339 and #280132 (which discusses DMZ's), but don't see anything other than port 80 needed. Am I missing something? Any other suggestions on what I can do to secure this (if anything)? _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]