If you can't risk the data getting out, then break your Internet connection.
Ed --- Erick Thompson <[EMAIL PROTECTED]> wrote: > We talked about this exact scenario. We decided that > given how easy it is to install a key logger, and > other malware, on public systems we decided it was > too risky. We are planning on using public folders > quite heavily with data that we can't risk getting > out. Same with the address books. > > We are trying to figure out a way to give people > access to email only from a public terminal. No > public folders or address books. If you have any > suggestions, that would be great. > > Erick > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > Behalf Of Ed Crowley > > Sent: Wednesday, September 17, 2003 4:40 PM > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and > security > > > > > > ISA is a better solution in a DMZ because it > doesn't > > require the plethora of holes in the internal > > firewall. > > > > > http://www.microsoft.com/technet/treeview/default.asp?url=/tec > hnet/prodtechnol/isa/deploy/isaexch.asp > > > > Requiring VPN (your other message) is a good idea, > > however, you may be coming back to ISA or some > other > > idea when your users demand to be able to get > e-mail > > from a coffeehouse kiosk terminal. > > > > Ed > > > > --- Erick Thompson <[EMAIL PROTECTED]> wrote: > > > I have to admit to being a little confused, how > > > would ISA help, aside from being a proxy? Which > > > isn't nothing, but I'm wondering if I'm missing > > > something else. > > > > > > Thanks, > > > Erick > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] > > > Behalf Of Webb, Andy > > > > Sent: Wednesday, September 17, 2003 7:04 AM > > > > To: Exchange Discussions > > > > Subject: RE: OWA front end server - licensing > and > > > security > > > > > > > > > > > > Don't forget you also have to fully protect > the > > > front end server from > > > > all the other servers on the DMZ from which it > is > > > not isolated. > > > > > > > > Those other systems may have been placed on > the > > > DMZ in an > > > > insecure state > > > > with the thought that if anyone broke them, > they > > > would be > > > > isolated from > > > > the internal LAN. What happens when you put > the > > > FE in the DMZ is you > > > > break that theory. The DMZ is no longer > isolated > > > from the LAN. > > > > > > > > You definitely have to secure the FE, but once > you > > > have, why > > > > not put it > > > > inside where it is not at risk from > questionable > > > systems on the DMZ? > > > > > > > > Better to put an ISA server in the DMZ as was > > > suggested earlier. > > > > > > > > Regarding IPSEC, Exchange 2003 explicitly > states > > > that IPSEC is now > > > > supported between front end and back end. So > if > > > you upgrade, that's > > > > perhaps an option. Though a lesser one than > using > > > ISA imho. > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] > On > > > Behalf Of Leeann > > > > McCallum > > > > Sent: Tuesday, September 16, 2003 6:32 PM > > > > To: Exchange Discussions > > > > Subject: RE: OWA front end server - licensing > and > > > security > > > > > > > > You could throw an OWA front end server in the > > > DMZ, put certificate on > > > > as Ed suggests, and then wrap everything up in > an > > > IPSEC > > > > packet that goes > > > > between the front end and backend. Between > the > > > client on the net and > > > > the front end, you would use SSL, so just open > > > 443. > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Erick Thompson > [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, 17 September 2003 11:29 a.m. > > > > To: Exchange Discussions > > > > Subject: RE: OWA front end server - licensing > and > > > security > > > > > > > > > > > > Ed, > > > > > > > > I'm a little confused. You're recommending > that I > > > put in a front end > > > > server, but not in the DMZ? It seems to me > that I > > > might have to open a > > > > bunch of ports, but if the front end server is > in > > > the LAN, > > > > all ports are > > > > by default open. > > > > > > > > Just to clarify, I have one Exchange server > which > > > lives on my LAN, and > > > > there is an SMTP server in my DMZ that relays > > > messages to the Exchange > > > > server. At the moment, I don't have any other > > > Exchange > > > > servers running. > > > > > > > > Thanks, > > > > Erick > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > > [mailto:[EMAIL PROTECTED] > > > Behalf Of Ed Crowley > > > > > Sent: Tuesday, September 16, 2003 4:25 PM > > > > > To: Exchange Discussions > > > > > Subject: Re: OWA front end server - > licensing > > > and security > > > > > > > > > > > > > > > Instal a certificate on the front-end server > and > > > open port > > > > 443 to the > > > > > front-end server. Putting a front-end > server in > > > a DMZ > > > > requires you to > > > > > > > > > open lots of dangerous ports through the > > > internal firewall to the > > > > > Exchange servers, DCs and GCs. > > > > > > > > > > Ed > > > > > > > > > > --- Erick Thompson <[EMAIL PROTECTED]> > wrote: > > > > > > I'm setting up OWA in my organization, and > I > > > have two > > > > choices. I can > > > > > === message truncated === __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]