There isn't a whole lot of security benefit except that an attacker can't touch the Exchange back-end server directly. But the front-end-back-end architecture has never really been about security. He'd have to compromise the front-end server by breaking through your SSL security, then his agent would have to attack something else. A front-end server handles all the OWA transactions; it doesn't pass the session off to the back-end and instead proxys the transactions.
I think the risk is pretty small with a properly secured OWA front-end server. If you really want a box in the DMZ, use an ISA server there to publish OWA. Ed --- Erick Thompson <[EMAIL PROTECTED]> wrote: > Ok, I see what you're saying. What are the security > benefits to having a front end server inside of the > LAN, as opposed to opening port 443 on the primary > Exchange server? It seems to me if the front end > server is compromised, then your primary Exchange > server is just as vulnerable. > > Thanks, > Erick > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > Behalf Of Ed Crowley > > Sent: Tuesday, September 16, 2003 4:41 PM > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and > security > > > > > > That's exactly what I'm saying. Get the > publications > > and read what ports you must open and if that > doesn't > > scare you, nothing will. Open only port 443 for > SSL > > OWA, and only if you can't require a VPN. > > > > Ed > > > > --- Erick Thompson <[EMAIL PROTECTED]> wrote: > > > Ed, > > > > > > I'm a little confused. You're recommending that > I > > > put in a front end server, but not in the DMZ? > It > > > seems to me that I might have to open a bunch of > > > ports, but if the front end server is in the > LAN, > > > all ports are by default open. > > > > > > Just to clarify, I have one Exchange server > which > > > lives on my LAN, and there is an SMTP server in > my > > > DMZ that relays messages to the Exchange server. > At > > > the moment, I don't have any other Exchange > servers > > > running. > > > > > > Thanks, > > > Erick > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] > > > Behalf Of Ed Crowley > > > > Sent: Tuesday, September 16, 2003 4:25 PM > > > > To: Exchange Discussions > > > > Subject: Re: OWA front end server - licensing > and > > > security > > > > > > > > > > > > Instal a certificate on the front-end server > and > > > open > > > > port 443 to the front-end server. Putting a > > > front-end > > > > server in a DMZ requires you to open lots of > > > dangerous > > > > ports through the internal firewall to the > > > Exchange > > > > servers, DCs and GCs. > > > > > > > > Ed > > > > > > > > --- Erick Thompson <[EMAIL PROTECTED]> wrote: > > > > > I'm setting up OWA in my organization, and I > > > have > > > > > two choices. I can set up Exchange on the > web > > > server > > > > > (in the DMZ), and specify it as a front end > > > server, > > > > > or I can open port 80 to the primary > Exchange > > > > > server. From a security standpoint, I really > > > like > > > > > the first option, but I'm thinking that I > need a > > > > > second Exchange Enterprise license. Am I > correct > > > in > > > > > this? > > > > > > > > > > Am I being too paranoid about opening port > 80 > > > > > through to the internal Exchange server? > I've > > > never > > > > > liked the idea of raw traffic entering my > > > LAN.... > > > > > > > > > > Thanks, > > > > > Erick > > > > > > > > > > > > > > > > > > > > _________________________________________________________________ > > > > > List posting FAQ: > > > > > http://www.swinc.com/resource/exch_faq.htm > > > > > Web Interface: > > > > > > > > > > > > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > ext_mode=&lang=english > > > > To unsubscribe: > > > > mailto:[EMAIL PROTECTED] > > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > __________________________________ > > > Do you Yahoo!? > > > Yahoo! SiteBuilder - Free, easy-to-use web site > > > design software > > > http://sitebuilder.yahoo.com > > > > > > > > > _________________________________________________________________ > > > List posting FAQ: > > > http://www.swinc.com/resource/exch_faq.htm > > > Web Interface: > > > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang=english > > To unsubscribe: > > mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > > _________________________________________________________________ > > List posting FAQ: > > http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english > > To unsubscribe: > > mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site > design software > http://sitebuilder.yahoo.com > > _________________________________________________________________ > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english > To unsubscribe: > mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english > To unsubscribe: > mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]