I'm currently debating the same setup.
What I've noted so far is that:
- The OWA server is in the DMZ, while the Exchange server should stay on the
LAN.
- There's a registry edit in Exchsv 5.5 that lets you specify the range of
random ports that it will connect to the OWA server with (or moreover, allow
incoming SMTP).
- Open those ports up between the OWA DMZ and the LAN, and only allow
traffic from a static-NATted address given to the OWA server to the address
of the Exchange server on the lan. I use 172.16.x.x here, so the address
would be the "real" address of my OWA server -> the NAT address of the OWA
server -> the 172.16.x.x address of the exchange server.
If OWA is on a networked subnet, wouldn't it have to sit on the LAN? In
which case you'd be allowing port 80 directly in, right?
My .2c...
- C
-----Original Message-----
From: Adams, Gavin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 18, 2001 9:54 AM
To: Adrian Wilson; [EMAIL PROTECTED]
Subject: RE: [FW1] Outlook Web Access - Best pracice with FW-1
Some thoughts:
1) Stick the OWA server onto a screened subnet
2) If running Exchange 2000, be prepared to open up Active Directory
domain authentication between the OWA box (front-end) and the Exchange
Server (back-end). As I understand it, Exchange 5.5 allows for a little
better segregation between the front/back-end.
3) SSL the OWA box
4) If possible, drop a host-based IDS on the OWA box to check the IIS
logs, system files etc. Network IDS for the screened subnet is even
better.
These are just a few best practices specific to OWA.
HTH,
--- Gavin
-----Original Message-----
From: Adrian Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 18, 2001 07:23
To: [EMAIL PROTECTED]
Subject: [FW1] Outlook Web Access - Best pracice with FW-1
I am intending to implement Outlook Web Access through to the Internet.
I am
concerned that the implementation should be as secure as possible and
would
like to gather information regarding best practice. Any help would be
much
appreciated.
Adrian J G Wilson
VEGA Group PLC
========================================================================
========
To unsubscribe from this mailing list, please see the instructions
at
http://www.checkpoint.com/services/mailing.html
========================================================================
========
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
