That's totally BS. You can put it in the authenticated access DMZ behind the ISA Firewall. You'd NEVER put it in an anonymous access DMZ, which it sounds like you're doing now. Get an ISA Firewall in front of that server , as an ASA (and definitely NOT a PIX) ain't doing nothing to protect your investment. ISA is pretty low cost for the level of security it provides. Compare it to Whale or any of the SSL VPN products, although most of the SSL VPN products don't really have a deep application layer understanding of legitimate OWA traffic, and definitely not at the level that Whale IAG provides.
The comments re: DMZ is most likely related to the p*ss-poor understanding most Exchange people (and the industry in general) have regarding the heterogeneity of DMZ configurations. They'd all do themselves a favor by going to Tim Mullen's course on DMZs and security zone segmentation, which he'll be presenting at RSA next month. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Randy Hall > Sent: Thursday, January 04, 2007 3:41 PM > To: Focus-MS > Subject: How to deploy Microsoft OWA without using ISA? > > We have been using OWA2000 for a few years now. The front > end server sits in a DMZ and communicates to the backend > server with a very painfully developed access list. In > addition, you need two factor authentication to even get to > the login screen. > > I recently attended a Microsoft presentation of the new > architecture of Outlook 2007. The one thing that stuck out > to me was that you can no longer put the front end server in > a DMZ. It has to be on the internal network. The > recommended way to publish OWA is ISA2006. > > I don't currently have ISA2006 anywhere in my network and we > are a very heavy Cisco shop. What options do I have for > publishing OWA? Purchasing ISA2006 for this one application > seems a bit overkill. > > Any help or guidance would be appreciated. Google turns up > lots of hits for doing this with ISA but doesn't give any alternative. > > Randy Hall - Sr. Security Engineer - CISSPĀ > The Virginian Pilot - (757) 446-2754 > > > >
