On Mon, Mar 19, 2001 at 03:06:50PM +1200, Hague, Alex wrote: > If you don't want to go to the trouble of setting up everything on a DMZ (or > if it's too expensive for you or your client) you could go about it like > this. The reason for a DMZ is, that you dont want an exploitet IIS/OWA to be a problem to your internal network. If you add a SSL Relay you do not prevent any attacks to your IIS. This means SSL-relay is not a alternative to a DMZ at all. With or without SSL (you can have OWA speak SSL and just du a port redirection) you have to decide if you want to trust OWA. The only thing you can du is to require a client certificate on the ssl-tunnel. But this has the probblem that ICafes wont be able to access your OWA, which is exactly one of the major situations where you want to use it. Another option would be a HTTP reverse Proxy asking for additional (OTP) password. that way only users who know the key can actually TALK (and exploit) your IIS. this is ok with me. Unfortunatelly a good reverse HTTP Proxy with SSL and password protection is rare. I found one solution for a lib system here: http://www.brown.edu/Facilities/CIS/Network_Services/libproxy/ this may help a bit. Greetings Bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl! - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
