RE: OWA in DMZ

Thu, 15 Nov 2001 09:44:45 -0800

make sure W2K is using service pack 2.  What ports are open on the firewall for access and what permissions are granted.
I think  ports 1025 and 1026  (not just 1025) higher need to be open because of RPC. I tend to stay away from this type of set up ,it is (my feeling) that it is less secure then inside with 443 only. Since you have a PIX use it to do a one-to-one NAT then only allow allow port 25 and 443 only. Two ports versus 14.
 
just my two cents
-----Original Message-----
From: Dikeman, Bo [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 15, 2001 11:23 AM
To: MS-Exchange Admin Issues
Subject: OWA in DMZ

Good Morning,
Please forgive me if this question has already been answered, but I have searched high and low and still can't get things to click right.  I am trying to get OWA to work in our DMZ, here is what I have:
 
        1.  Exchange 5.5 SP4 running on a W2k member server on the inside.
        2.  A WinNT 4.0 PDC on the same subnet with the Exchange server
        3.  A Cisco PIX w/DMZ card
        4.  A W2k DC (for the DMZ domain) w/OWA 5.5 SP4 in the DMZ
 
There is a two-way trust between the domains for testing.  This will eventually be a one-way trust where the DMZ domain trusts the production domain, but not vice versa.  I have the following ports open for the OWA box: 53 TCP,UDP; 88 TCP, UDP; 123 TCP; 135 TCP; 389 TCP, UDP; 445 TCP; 3268 TCP; 137 UDP; 138 UDP; and 139 TCP.  Oh, and 80.  I opened all of these per Q articles that said to do so, but any of these that definitely do not need to be open please let me know.   I have also bound NTDS on the w2k box to 1025 and that port (TCP and UDP) is open per Q280132.  I have also bound the Exchange IS, DS, and SA to ports in the registry per q259240 and those three TCP ports open in the firewall.
 
The clincher is everything works when the OWA box is on the inside.  Once the OWA box is in the DMZ that is not the case.  Whenever a user tries to log on to OWA in this situation, they get the hourglass for a couple of minutes and get the script time out error in IE.  Also, I have seen a couple of Q articles recommending to set authentication to clear text in IIS, that is set.
 
Any suggestions or any info that someone might need to make a suggestion, please, please fire in.
 
Thanks a bunch,
 
Bo Dikeman, MCSE
Network Administrator
NorthStar Communications Group, Inc.
 
 
List Charter and FAQ at:
http://www.sunbelt-software.com/exchange_list_charter.htm
List Charter and FAQ at:
http://www.sunbelt-software.com/exchange_list_charter.htm

Reply via email to