Our parent office in Germany is all hot on sticking our OWA box in the DMZ. Can anyone point me to a White paper saying this is NOT a good idea? We are currently running it with SSL. Thanks.
mit freundlichen Grüßen,(Best Regards), Steve Ropiak ZF Group NAO CERT, Exchange Administrator (207) 989-9115 voice (207) 989-8722 fax (513) 314-0197 cell [EMAIL PROTECTED] -----Original Message----- From: Toni, Randy [mailto:[EMAIL PROTECTED]] Sent: Friday, April 19, 2002 11:24 AM To: MS-Exchange Admin Issues Subject: RE: OWA Ports this debate pops up a lot. I had OWA in the DMZ once. On the last upgrade (NT to win2K) it went back into the trusted. It only ever ran SSL. I heard more arguments for keeping it inside than for putting it in the DMZ. I think that punching all the requisite holes in the DMZ to accomodate OWA makes the entire DMZ pretty flaky. I'd like to put some kind of IDS on it (like secureIIS) but I've heard some bad things about the MS lockdown tool and URLscan. Let me throw in a twist - what if the DMZ can be dedicated solely to OWA? I ask because that's happening here now. We're contracting out whatever Intranet services we had in the DMZ and the wire may be empty. If this is the case, is in not maybe safer back out there? There are literally no other DMZ systems that can be hacked and used to take advantage of the open OWA ports. Of course OWA can be hacked itself, but that same probablility exists in the internal lan, where it can see everything full-bore. Is my logic twisted or does this (rare) circumstance of "OWA-only" make any difference in the approach? Or am I thinking too much about this again? > -----Original Message----- > From: Mark Kelsay [SMTP:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 2:31 PM > To: MS-Exchange Admin Issues > Subject: RE: OWA Ports > > Move your OWA server to your protected net. Implement SSL and open up > port TCP/443 to the server. Block port TCP/80 and force everyone to > use SSL. I > believe this is the safest way. I am sure someone here will let me know > if > I am wrong. > > > Mark > > > > -----Original Message----- > From: McCready, Robert [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 1:54 PM > To: MS-Exchange Admin Issues > Subject: RE: OWA Ports > > Exchange keeps reassigning the port numbers. We were using 1062 and > 1074. > > Yes, the DWORD value was set to Decimal. > > For some reason, our registry entries don't seem to matter. Maybe I > shouldn't even worry about them since the OWA server is on the DMZ? > > -----Original Message----- > From: Ben Winzenz [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 9:57 AM > To: MS-Exchange Admin Issues > Subject: RE: OWA Ports > > > Which port numbers are you assigning? Also, did you make sure that > the DWORD value is set to Decimal, NOT Hexadecimal? I don't know if > there is a specified range that you are supposed to use, but we have > always used the same port numbers. > > Ben Winzenz, MCSE > Network/Systems Administrator > Peregrine Systems > > > -----Original Message----- > From: McCready, Robert [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 8:41 AM > To: MS-Exchange Admin Issues > Subject: OWA Ports > > Exchange 5.5, NT 4.0. > > OK. We are using OWA. Apparently, each time the Exchange Server is > rebooted, it randomly assigns ports for the directory and information > store by default, therefore, the ports that the client will use must > be statically mapped. Following the OWA instructions, I made the > following > registry entry to TRY and > accomplish the static mapping..... > > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MS Exchange > ServerDS\Parameters: > > From here, I selected EDIT - NEW - DWORD VALUE. I then typed in > TCP/IP port for the ENTRY and > typed the port number in under VALUE. I also did the same for > > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MS Exchange > ServerIS\ParametersSystem: > > However, each time I reboot, a new port number is assigned. Has > anybody else had this problem? > > Thanks. > > Robert > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
