Use traditional security methods. Check out http://technet.microsoft.com/en-us/library/bb124597.aspx
Essentially use either smartcards in conjunction with EAP-TLS and properly configured firewalls, et al. It is true that the new roles based setup does remove the ability to have OWA directly in the DMZ itself, however the new roles architecture provides substantially more flexibility than the front-end/back-end architecture of 2003. It is true that an OWA deployment outside of ISA2006 is a bit more complicated to properly address security concerns however there are alternative means to authenticate users and protect the OWA instance. Another thing to think about -- does your enterprise still need the full blown OWA installation? Remember that the Exchange ActiveSync capabilities inherent in the Client Access Server role can take care of some of your mobile user needs, and if you architect your environment correctly (VPNs - possibly including SSL based VPN) you can take care of many remote access needs by configuring native outlook clients to use tunneled RPC connections to connect to the exchange infrastructure mailbox servers. For some organizations, this near-alleviates the need to provide OWA accessibility depending on the environment. Hopefully the attached image (courtesy of Microsoft) will help clarify the various role relationships and spur some ideas about how to secure an Exchange 2007 OWA install. Obviously without deeper information into how your particular instance is constructed, it is difficult to provide more accurate strategies on securing 2007 for your enterprise. Hope this helps. -------------------------------------- Wayne S. Anderson "An sufficiently developed bug is indistinguisable from a feature." http://www.linkedin.com/in/wayneanderson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Hall Sent: Thursday, January 04, 2007 2:41 PM To: Focus-MS Subject: How to deploy Microsoft OWA without using ISA? We have been using OWA2000 for a few years now. The front end server sits in a DMZ and communicates to the backend server with a very painfully developed access list. In addition, you need two factor authentication to even get to the login screen. I recently attended a Microsoft presentation of the new architecture of Outlook 2007. The one thing that stuck out to me was that you can no longer put the front end server in a DMZ. It has to be on the internal network. The recommended way to publish OWA is ISA2006. I don't currently have ISA2006 anywhere in my network and we are a very heavy Cisco shop. What options do I have for publishing OWA? Purchasing ISA2006 for this one application seems a bit overkill. Any help or guidance would be appreciated. Google turns up lots of hits for doing this with ISA but doesn't give any alternative. Randy Hall - Sr. Security Engineer - CISSPĀ The Virginian Pilot - (757) 446-2754
Exchange_2007.gif
Description: GIF image
