Hi, we�re implementing OWA (Outlook Web Access) for our company (I have looked at alternatives but we need the central calendar and address book functions). Our domain is based a NT 4.0 domain. The Exchange server (5.5) is running on a Windows 2000 member server. The OWA machine is also a Windows 2000 member server running IIS 5 and OWA 5.5. As far as I know it needs to be a member server to be able to authenticate users.
During installation the (dedicated) IIS/OWA server resided on the PRO for easy configuration. I always intended to move the box to the PSN after configuration but after reading some old posts to this list and several Microsoft knowledge base articles I�m starting to wonder if it's worth all the trouble. I already implemented most of the security measures mentioned on technet and the NSA guide, have installed IIS lockdown and URL Scan, disabled all unneeded services (although I do need the server and workstation service) and am going to use SSL to connect so I'm more secure then just a basic install. I figured out (Q259240) that I have to set two registry keys on the Exchange server to force it to listen to static ports. Those two ports together with port 135 need to be open from the PSN to the PRO. I can also limit the port range that Exchange uses to communicate back to the OWA (Q154596) although that�s not really necessary I guess. Question: do I only need to open these three ports up to the Exchange server or does the OWA also needs to communicate with a domain controller (PDC or BDC) and if so on what ports? I can�t find anything on this (but I haven�t tried it yet either). How about WINS (to resolve the Exchange server name)? Or can I solve that with the HOSTS or LMHOTST file? Question: with port 135 (and NetBIOS over TCP/IP) open is there really still a benefit of having the OWA on the PSN? I think there is because if the OWA box gets compromised it only has access to the Exchange machine over the three open ports. Where, if it resides on the PRO, a compromised OWA box has virtually unlimited access. Am I right here, or is it quite easy to get from a compromised OWA via the Exchange machine to the rest of the network anyhow? I�d like to know how you set it up, what considerations you made and if there is any advice you can give me? Thanks a bunch! Benno� --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
