Actually, you can't snoop the SSL traffic. Ok, you can, but its worthless. I'd suggest an SSL accelerator (either hardware or software) sitting in the DMZ, passing unencrypted traffic between the DMZ and a front end server on the internal network. We've been doing that for about 18 months without any issues (albiet in an Ex5.5 environment, but that shouldn't matter).
I'd also suggest a front end server dedicated to OWA, as that's an additional layer of protection. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 10, 2003 8:42 PM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > > Those are very powerful seven (your number--I haven't counted) ports. > You're pretty safe by allowing only SSL into OWA, enforcing a strong > password policy, and watching the traffic that passes through > the firewall. > > Ed Crowley MCSE+Internet MVP > Freelance E-Mail Philosopher > Protecting the world from PSTs and Bricked Backups!T > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Davinder Gupta > Sent: Wednesday, December 10, 2003 7:15 AM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > Ed, > > It takes 7 ports from front end server for windows 2000 > communication plus > the exchange ports to make it work. So my only argument is > that if the front > end box gets compromised, hackers has access to those seven ports and > wherever they terminate. However my putting the front end > server on the LAN, > there is not telling where the bad guys will have access if > the front end > server is compromised. And please don't get me wrong, I > understand that the > ports required for Win2k are significant ports. > > However ISA might be a good solution too, I will look into it. > > Thanks > Davinder > > > > -----Original Message----- > From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 09, 2003 11:00 PM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > There's a whitepaper on the Exchange 2000 web site about using ISA. > > Ed Crowley MCSE+Internet MVP > Freelance E-Mail Philosopher > Protecting the world from PSTs and Bricked Backups!T > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Davinder Gupta > Sent: Tuesday, December 09, 2003 8:30 AM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > Can you point me to those articles/white papers etc. ?? > > I would like to look into the possibility of using ISA and > keeping FE server > in DMZ. > > Thanks > Davinder > > > > -----Original Message----- > From: Martin Blackstone > [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 09, 2003 8:17 AM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > Don't they show ISA in there as well? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Fyodorov, Andrey > Sent: Tuesday, December 09, 2003 8:13 AM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > Why do Microsoft FE/BE whitepapers show FE in DMZ? > > -----Original Message----- > From: Martin Blackstone [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 09, 2003 10:58 AM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > I couldn't have said it better myself. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz > Sent: Tuesday, December 09, 2003 7:56 AM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > What I don't understand is why everyone thinks that placing > their FE server > in a DMZ is a more secure/better way/whatever have you. > IMHO, it is not. I > don't understand what you think you are going to be gaining > by placing it > there other than increased headache for the setup and troubleshooting. > Some > may offer the argument that if your FE server gets hacked, it > is somewhat > isolated. Let's be honest. With the ports that are required > to be open > between the FE and BE, if someone hacks your FE server, they > can own your > internal network whether the FE is in a DMZ or not. I'm just > not convinced > that there is a need to place FE servers in the DMZ. That, > plus I seem to > remember that it is now Microsoft's suggestion to NOT place > the FE server in > the DMZ. I'll see if I can find the reference to that. > > Davinder, you are, of course, welcome to deploy this how you see fit. > It is, after all, your network, not mine. Ultimately, if you > feel it is a > better setup to place your FE server in your DMZ, then do > that. I'm just > trying to offer feedback. As far as 5.5, that is a different scenario > altogether. 5.5 would allow you to install OWA separate from > the Exchange > mailbox server. > > Ben Winzenz > Network Engineer > Gardner & White > (317) 581-1580 ext 418 > > > -----Original Message----- > From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted > At: Tuesday, > December 09, 2003 10:45 AM Posted To: Exchange (Swynk) > Conversation: OWA and SMTP > Subject: RE: OWA and SMTP > > > Thanks everybody for replying. The plan is exactly to open > 443 from outside > and required ports for GC/LDAP and required ports for BE server. > The DMZ is separate physical network (VLAN) and Firewall is > going to allow > these specific kind of traffic only to required specific > servers on inside > network. > > You guys seem very concerned with that which I respectfully don't > understand. Also this is exactly what we did in exchange 5.5, right?? > > Or another idea might be to create an IPSec tunnel between FE > server and DCs > and limit the number of ports that way, ideas? > > > Thanks > Davinder > > > > -----Original Message----- > From: Eric Fretz [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 09, 2003 7:20 AM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > I totally agree. It is much easier to do extensive logging > (and packet > filtering, for that matter) with a good layered firewall, as > opposed to > locking down IIS (and Windows) to accept connections in an > unsecured zone. > > Eric Fretz > > L-3 Communications > ComCept Division > 2800 Discovery Blvd. > Rockwall, TX 75032 > tel: 972.772.7501 > fax: 972.772.7510 > > > > -----Original Message----- > From: Ben Winzenz [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 09, 2003 9:20 AM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > > Why go through the hassle? It is much easier (and just as > secure) to simply > put the FE server inside your network, open up port 443 and > 25 to the FE > server (I would not open port 80 for OWA), and that is all > you should have > to do. If you want to be even more secure, use something > like ISA server to > "publish" the FE OWA server. There are some servers that > belong on a DMZ. > A FE OWA server is not one of them. > > > Ben Winzenz > Network Engineer > Gardner & White > (317) 581-1580 ext 418 > > > -----Original Message----- > From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] > Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: > Exchange (Swynk) > Conversation: OWA and SMTP > Subject: RE: OWA and SMTP > > > Have FE and BE on separate VLANs and set up access lists on > the routers > allowing just the back-end VLAN to only accept traffic from > the front-end > VLAN if it is coming from the FE server, and only the specified ports. > > How does that sound? > > > -----Original Message----- > From: Ben Winzenz [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 09, 2003 9:29 AM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > What Martin is saying is that those are not the only ports > you have to open. > There are MANY more that are required to be opened to allow for > communication between the FE server and the BE server, and > communication > betweent the FE server and the DC/GC servers. While the > article seems to > point out the correct ports, the post was misleading in > saying that only > 80/443 and a "few others". Those "few" other ports (esp. > 135, and the LDAP > ports) are something I would not especially want opened on my > firewall. > > > Ben Winzenz > Network Engineer > Gardner & White > (317) 581-1580 ext 418 > > > -----Original Message----- > From: Eric Fretz [mailto:[EMAIL PROTECTED] > Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange > (Swynk) > Conversation: OWA and SMTP > Subject: RE: OWA and SMTP > > > He just asked for the ports and I pointed him to the kb on > open ports. I > agree that putting a Front End in a DMZ is no walk in the > park and did not > intend to make it sound that easy. > > Eric Fretz > > L-3 Communications > ComCept Division > 2800 Discovery Blvd. > Rockwall, TX 75032 > tel: 972.772.7501 > fax: 972.772.7510 > > > > -----Original Message----- > From: Martin Blackstone [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 09, 2003 8:10 AM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > > Its much more extensive than that when putting the FE in the DMZ > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz > Sent: Tuesday, December 09, 2003 5:55 AM > To: Exchange Discussions > Subject: RE: OWA and SMTP > > 80(HTTP), 443(SSL) and a few others. > > Check out kb# 280132 > > Eric Fretz > > L-3 Communications > ComCept Division > 2800 Discovery Blvd. > Rockwall, TX 75032 > tel: 972.772.7501 > fax: 972.772.7510 > > > > -----Original Message----- > From: Davinder Gupta [mailto:[EMAIL PROTECTED] > Sent: Monday, December 08, 2003 7:23 PM > To: Exchange Discussions > Subject: OWA and SMTP > > > I am setting up a Windows 2000 member server in DMZ, which > will be our SMTP > and OWA front end server. Which ports do I need to open to > make this work. > Is there a KB article that you guy could point me to? > > Thanks > Davinder > > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
