RE: Front-End/Back-End Topology - Ex2K
Sorry.. I was being flippant re: Hotmail.. more to highlight a reluctance to use POP3 (through a firewall) than any desire to use Hotmail... The comment about OWA was regards having to wrap a session with SSL to get around the basic authentication requirement/clear text password limitation of a FE/BE deployment and make it 'secure'. Thanks for the pointer on the IPSec article. -Original Message- From: William Lefkovics [mailto:[EMAIL PROTECTED]] Sent: 19 March 2002 23:11 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K With OWA2000 over SSL, the entire session is encrypted. With Hotmail, ony authentication is encrypted (I believe). AND you ought to read Martin Tuip's article on deploying IPSec to secure the front end to back end communication for OWA. Riveting stuff!! -Original Message- From: Myles, Damian [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 19, 2002 2:19 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K More an aversion to using something (POP/IMAP) with passwords in clear text and since Outlook doesn't support APOP we have to go over SSL. Having said all that, I have to do HTTP over SSL with OWA and a front-end/back-end topology anyway ... so I'll just get my coat :) Mylo -Original Message- From: William Lefkovics [mailto:[EMAIL PROTECTED]] Sent: 19 March 2002 01:36 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K Why? What's wrong with POP/IMAP? IMAP4 over SSL for example. Why would you rather give them Hotmail? William -Original Message- From: Myles, Damian [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 7:38 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K I'd be happier giving them a hotmail account than POP/IMAP.. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: 18 March 2002 16:35 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K Let's see - OWA = SSL POP/IMAP = doesn't happen on my network, but it it did, it would only be via VPN -- Roger D. Seielstad - MCSE Sr. Systems Administrator Peregrine Systems Atlanta, GA > -Original Message- > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:48 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > How do you guys secure exchange with OWA and POP/IMAP if you > don't put it in a DMZ? > > > Matt > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:44 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > There should be a rotating tag line appended to each message; > > "Exchange doesn't belong in the DMZ" > "PST=BAD" > "BLB=BAD" > > Etc _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Front-End/Back-End Topology - Ex2K
http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=24063 Looks like you need a subscription.[1] William [1] Hi Martin -Original Message- From: Richard Leslie [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 19, 2002 3:15 PM To: Exchange Discussions Subject: Re: Front-End/Back-End Topology - Ex2K Ok, where do I find Martin Tuip's article? - Original Message - From: "William Lefkovics" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Tuesday, March 19, 2002 5:10 PM Subject: RE: Front-End/Back-End Topology - Ex2K > With OWA2000 over SSL, the entire session is encrypted. With Hotmail, ony > authentication is encrypted (I believe). > > AND you ought to read Martin Tuip's article on deploying IPSec to secure the > front end to back end communication for OWA. Riveting stuff!! > > > -Original Message- > From: Myles, Damian [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, March 19, 2002 2:19 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > More an aversion to using something (POP/IMAP) with passwords in clear text > and since Outlook doesn't support APOP we have to go over SSL. Having said > all that, I have to do HTTP over SSL with OWA and a front-end/back-end > topology anyway ... so I'll just get my coat :) > > Mylo > > -Original Message- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: 19 March 2002 01:36 > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > Why? What's wrong with POP/IMAP? > > IMAP4 over SSL for example. > > Why would you rather give them Hotmail? > > William > > > -----Original Message- > From: Myles, Damian [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 7:38 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > I'd be happier giving them a hotmail account than POP/IMAP.. > > -Original Message- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Sent: 18 March 2002 16:35 > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > Let's see - > > OWA = SSL > > POP/IMAP = doesn't happen on my network, but it it did, it would only be via > VPN > > -- > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Peregrine Systems > Atlanta, GA > > > > -Original Message- > > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > > Sent: Monday, March 18, 2002 8:48 AM > > To: Exchange Discussions > > Subject: RE: Front-End/Back-End Topology - Ex2K > > > > > > How do you guys secure exchange with OWA and POP/IMAP if you > > don't put it in a DMZ? > > > > > > Matt > > -Original Message- > > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > > Sent: Monday, March 18, 2002 8:44 AM > > To: Exchange Discussions > > Subject: RE: Front-End/Back-End Topology - Ex2K > > > > > > There should be a rotating tag line appended to each message; > > > > "Exchange doesn't belong in the DMZ" > > "PST=BAD" > > "BLB=BAD" > > > > Etc > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: Front-End/Back-End Topology - Ex2K
Ok, where do I find Martin Tuip's article? - Original Message - From: "William Lefkovics" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Tuesday, March 19, 2002 5:10 PM Subject: RE: Front-End/Back-End Topology - Ex2K > With OWA2000 over SSL, the entire session is encrypted. With Hotmail, ony > authentication is encrypted (I believe). > > AND you ought to read Martin Tuip's article on deploying IPSec to secure the > front end to back end communication for OWA. Riveting stuff!! > > > -Original Message- > From: Myles, Damian [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, March 19, 2002 2:19 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > More an aversion to using something (POP/IMAP) with passwords in clear text > and since Outlook doesn't support APOP we have to go over SSL. Having said > all that, I have to do HTTP over SSL with OWA and a front-end/back-end > topology anyway ... so I'll just get my coat :) > > Mylo > > -Original Message- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: 19 March 2002 01:36 > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > Why? What's wrong with POP/IMAP? > > IMAP4 over SSL for example. > > Why would you rather give them Hotmail? > > William > > > -----Original Message- > From: Myles, Damian [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 7:38 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > I'd be happier giving them a hotmail account than POP/IMAP.. > > -Original Message- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Sent: 18 March 2002 16:35 > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > Let's see - > > OWA = SSL > > POP/IMAP = doesn't happen on my network, but it it did, it would only be via > VPN > > -- > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Peregrine Systems > Atlanta, GA > > > > -Original Message- > > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > > Sent: Monday, March 18, 2002 8:48 AM > > To: Exchange Discussions > > Subject: RE: Front-End/Back-End Topology - Ex2K > > > > > > How do you guys secure exchange with OWA and POP/IMAP if you > > don't put it in a DMZ? > > > > > > Matt > > -Original Message- > > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > > Sent: Monday, March 18, 2002 8:44 AM > > To: Exchange Discussions > > Subject: RE: Front-End/Back-End Topology - Ex2K > > > > > > There should be a rotating tag line appended to each message; > > > > "Exchange doesn't belong in the DMZ" > > "PST=BAD" > > "BLB=BAD" > > > > Etc > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Front-End/Back-End Topology - Ex2K
With OWA2000 over SSL, the entire session is encrypted. With Hotmail, ony authentication is encrypted (I believe). AND you ought to read Martin Tuip's article on deploying IPSec to secure the front end to back end communication for OWA. Riveting stuff!! -Original Message- From: Myles, Damian [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 19, 2002 2:19 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K More an aversion to using something (POP/IMAP) with passwords in clear text and since Outlook doesn't support APOP we have to go over SSL. Having said all that, I have to do HTTP over SSL with OWA and a front-end/back-end topology anyway ... so I'll just get my coat :) Mylo -Original Message- From: William Lefkovics [mailto:[EMAIL PROTECTED]] Sent: 19 March 2002 01:36 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K Why? What's wrong with POP/IMAP? IMAP4 over SSL for example. Why would you rather give them Hotmail? William -Original Message- From: Myles, Damian [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 7:38 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K I'd be happier giving them a hotmail account than POP/IMAP.. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: 18 March 2002 16:35 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K Let's see - OWA = SSL POP/IMAP = doesn't happen on my network, but it it did, it would only be via VPN -- Roger D. Seielstad - MCSE Sr. Systems Administrator Peregrine Systems Atlanta, GA > -Original Message- > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:48 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > How do you guys secure exchange with OWA and POP/IMAP if you > don't put it in a DMZ? > > > Matt > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:44 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > There should be a rotating tag line appended to each message; > > "Exchange doesn't belong in the DMZ" > "PST=BAD" > "BLB=BAD" > > Etc _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Front-End/Back-End Topology - Ex2K
More an aversion to using something (POP/IMAP) with passwords in clear text and since Outlook doesn't support APOP we have to go over SSL. Having said all that, I have to do HTTP over SSL with OWA and a front-end/back-end topology anyway ... so I'll just get my coat :) Mylo -Original Message- From: William Lefkovics [mailto:[EMAIL PROTECTED]] Sent: 19 March 2002 01:36 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K Why? What's wrong with POP/IMAP? IMAP4 over SSL for example. Why would you rather give them Hotmail? William -Original Message- From: Myles, Damian [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 7:38 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K I'd be happier giving them a hotmail account than POP/IMAP.. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: 18 March 2002 16:35 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K Let's see - OWA = SSL POP/IMAP = doesn't happen on my network, but it it did, it would only be via VPN -- Roger D. Seielstad - MCSE Sr. Systems Administrator Peregrine Systems Atlanta, GA > -Original Message- > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:48 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > How do you guys secure exchange with OWA and POP/IMAP if you > don't put it in a DMZ? > > > Matt > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:44 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > There should be a rotating tag line appended to each message; > > "Exchange doesn't belong in the DMZ" > "PST=BAD" > "BLB=BAD" > > Etc > > -----Original Message----- > From: missy koslosky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:22 AM > To: Exchange Discussions > Subject: Re: Front-End/Back-End Topology - Ex2K > > > Go with your instincts. Keep it out of the DMZ. > > There's lots of history on this in the archives of this list. > > Missy > - Original Message - > From: "Myles, Damian" <[EMAIL PROTECTED]> > To: "Exchange Discussions" <[EMAIL PROTECTED]> > Sent: Monday, March 18, 2002 7:47 AM > Subject: Front-End/Back-End Topology - Ex2K > > > Posted this on the ISA forums a few days ago, but thought it > might be an idea to post for discussion. > > A while back I tested a FE/BE topology with the FE server > sitting on or DMZ, opening numerous ports on our interior > firewall to allow AD/GC lookups through etc. Now it comes to > actual putting these fruits of labour into practice in a > production environment, I'm far from convinced of the > rationale of placing a FE server on a DMZ, given the security > implications of doing so with regards the numerous open > ports. I'm more inclined to allow to publish the front-end > server (on our LAN) and allow remote users to connect through > HTTPS, secured behind ISA, acknowledging there is always a > risk putting Internet-accessed resources on a production LAN. > > Since this is a back-to-back firewall, the following ports > would need to be opened > > Exterior Firewall > - > 443/TCP HTTPS > 25/TCP SMTP > 993/TCP IMAPS > > Interior Firewall > - > 80/TCP HTTP > 143/TCP IMAP > 25/TCP SMTP > 389/TCP LDAP > 389/UDP LDAP > 3268/TCP > 88/TCP KERBEROS > 88/UDP KERBEROS > 53/TCP DNS > 53/UDP DNS > 135/TCP RPC > 445/TCP NETLOGON > > I know a lot of the above can be secured over SSL and RPC > limited to a single port (rather than anything above 1024), > and that I can tunnel HTTP through IPSEC or VPN. However, > since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. > > Would appreciate any feedback on this and to find out what > the general consensus of opinion is? > > Regards > Mylo > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Front-End/Back-End Topology - Ex2K
It wouldn't be significantly different, but given the limited framing of the question, I'd say "yes". It's better to come through an ISA server to an OWA box on the inside network than to put OWA in the DMZ. All caveats included, of course. -Original Message- From: Richard Leslie [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 10:44 AM To: Exchange Discussions Subject: Re: Front-End/Back-End Topology - Ex2K Would coming in thru the ISA server be better than an IIS server in the DMZ running OWA? Not leading, just asking, not very familiar with ISA. - Original Message - From: "Martin Blackstone" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Monday, March 18, 2002 10:21 AM Subject: RE: Front-End/Back-End Topology - Ex2K > SSL > > -Original Message- > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:48 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > How do you guys secure exchange with OWA and POP/IMAP if you don't put > it in > a DMZ? > > > Matt > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:44 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > There should be a rotating tag line appended to each message; > > "Exchange doesn't belong in the DMZ" > "PST=BAD" > "BLB=BAD" > > Etc > > -----Original Message- > From: missy koslosky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:22 AM > To: Exchange Discussions > Subject: Re: Front-End/Back-End Topology - Ex2K > > > Go with your instincts. Keep it out of the DMZ. > > There's lots of history on this in the archives of this list. > > Missy > - Original Message - > From: "Myles, Damian" <[EMAIL PROTECTED]> > To: "Exchange Discussions" <[EMAIL PROTECTED]> > Sent: Monday, March 18, 2002 7:47 AM > Subject: Front-End/Back-End Topology - Ex2K > > > Posted this on the ISA forums a few days ago, but thought it might be > an idea to post for discussion. > > A while back I tested a FE/BE topology with the FE server sitting on > or DMZ, > opening numerous ports on our interior firewall to allow AD/GC lookups > through etc. Now it comes to actual putting these fruits of labour > into practice in a production environment, I'm far from convinced of > the rationale of placing a FE server on a DMZ, given the security > implications of doing so with regards the numerous open ports. I'm > more inclined to allow to publish the front-end server (on our LAN) > and allow remote users to > connect through HTTPS, secured behind ISA, acknowledging there is > always a risk putting Internet-accessed resources on a production LAN. > > Since this is a back-to-back firewall, the following ports would need > to be > opened > > Exterior Firewall > - > 443/TCP HTTPS > 25/TCP SMTP > 993/TCP IMAPS > > Interior Firewall > - > 80/TCP HTTP > 143/TCP IMAP > 25/TCP SMTP > 389/TCP LDAP > 389/UDP LDAP > 3268/TCP > 88/TCP KERBEROS > 88/UDP KERBEROS > 53/TCP DNS > 53/UDP DNS > 135/TCP RPC > 445/TCP NETLOGON > > I know a lot of the above can be secured over SSL and RPC limited to a > single port (rather than anything above 1024), and that I can tunnel > HTTP through IPSEC or VPN. However, since I'm using SecureNAT clients > with ISA, IPSEC isn't really viable. > > Would appreciate any feedback on this and to find out what the general > consensus of opinion is? > > Regards > Mylo > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > __
RE: Front-End/Back-End Topology - Ex2K
Why? What's wrong with POP/IMAP? IMAP4 over SSL for example. Why would you rather give them Hotmail? William -Original Message- From: Myles, Damian [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 7:38 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K I'd be happier giving them a hotmail account than POP/IMAP.. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: 18 March 2002 16:35 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K Let's see - OWA = SSL POP/IMAP = doesn't happen on my network, but it it did, it would only be via VPN -- Roger D. Seielstad - MCSE Sr. Systems Administrator Peregrine Systems Atlanta, GA > -Original Message- > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:48 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > How do you guys secure exchange with OWA and POP/IMAP if you > don't put it in a DMZ? > > > Matt > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:44 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > There should be a rotating tag line appended to each message; > > "Exchange doesn't belong in the DMZ" > "PST=BAD" > "BLB=BAD" > > Etc > > -Original Message----- > From: missy koslosky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:22 AM > To: Exchange Discussions > Subject: Re: Front-End/Back-End Topology - Ex2K > > > Go with your instincts. Keep it out of the DMZ. > > There's lots of history on this in the archives of this list. > > Missy > - Original Message - > From: "Myles, Damian" <[EMAIL PROTECTED]> > To: "Exchange Discussions" <[EMAIL PROTECTED]> > Sent: Monday, March 18, 2002 7:47 AM > Subject: Front-End/Back-End Topology - Ex2K > > > Posted this on the ISA forums a few days ago, but thought it > might be an idea to post for discussion. > > A while back I tested a FE/BE topology with the FE server > sitting on or DMZ, opening numerous ports on our interior > firewall to allow AD/GC lookups through etc. Now it comes to > actual putting these fruits of labour into practice in a > production environment, I'm far from convinced of the > rationale of placing a FE server on a DMZ, given the security > implications of doing so with regards the numerous open > ports. I'm more inclined to allow to publish the front-end > server (on our LAN) and allow remote users to connect through > HTTPS, secured behind ISA, acknowledging there is always a > risk putting Internet-accessed resources on a production LAN. > > Since this is a back-to-back firewall, the following ports > would need to be opened > > Exterior Firewall > - > 443/TCP HTTPS > 25/TCP SMTP > 993/TCP IMAPS > > Interior Firewall > - > 80/TCP HTTP > 143/TCP IMAP > 25/TCP SMTP > 389/TCP LDAP > 389/UDP LDAP > 3268/TCP > 88/TCP KERBEROS > 88/UDP KERBEROS > 53/TCP DNS > 53/UDP DNS > 135/TCP RPC > 445/TCP NETLOGON > > I know a lot of the above can be secured over SSL and RPC > limited to a single port (rather than anything above 1024), > and that I can tunnel HTTP through IPSEC or VPN. However, > since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. > > Would appreciate any feedback on this and to find out what > the general consensus of opinion is? > > Regards > Mylo > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: Front-End/Back-End Topology - Ex2K
Would coming in thru the ISA server be better than an IIS server in the DMZ running OWA? Not leading, just asking, not very familiar with ISA. - Original Message - From: "Martin Blackstone" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Monday, March 18, 2002 10:21 AM Subject: RE: Front-End/Back-End Topology - Ex2K > SSL > > -Original Message- > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:48 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > How do you guys secure exchange with OWA and POP/IMAP if you don't put it in > a DMZ? > > > Matt > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:44 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > There should be a rotating tag line appended to each message; > > "Exchange doesn't belong in the DMZ" > "PST=BAD" > "BLB=BAD" > > Etc > > -----Original Message----- > From: missy koslosky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:22 AM > To: Exchange Discussions > Subject: Re: Front-End/Back-End Topology - Ex2K > > > Go with your instincts. Keep it out of the DMZ. > > There's lots of history on this in the archives of this list. > > Missy > - Original Message - > From: "Myles, Damian" <[EMAIL PROTECTED]> > To: "Exchange Discussions" <[EMAIL PROTECTED]> > Sent: Monday, March 18, 2002 7:47 AM > Subject: Front-End/Back-End Topology - Ex2K > > > Posted this on the ISA forums a few days ago, but thought it might be an > idea to post for discussion. > > A while back I tested a FE/BE topology with the FE server sitting on or DMZ, > opening numerous ports on our interior firewall to allow AD/GC lookups > through etc. Now it comes to actual putting these fruits of labour into > practice in a production environment, I'm far from convinced of the > rationale of placing a FE server on a DMZ, given the security implications > of doing so with regards the numerous open ports. I'm more inclined to > allow to publish the front-end server (on our LAN) and allow remote users to > connect through HTTPS, secured behind ISA, acknowledging there is always a > risk putting Internet-accessed resources on a production LAN. > > Since this is a back-to-back firewall, the following ports would need to be > opened > > Exterior Firewall > - > 443/TCP HTTPS > 25/TCP SMTP > 993/TCP IMAPS > > Interior Firewall > - > 80/TCP HTTP > 143/TCP IMAP > 25/TCP SMTP > 389/TCP LDAP > 389/UDP LDAP > 3268/TCP > 88/TCP KERBEROS > 88/UDP KERBEROS > 53/TCP DNS > 53/UDP DNS > 135/TCP RPC > 445/TCP NETLOGON > > I know a lot of the above can be secured over SSL and RPC limited to a > single port (rather than anything above 1024), and that I can tunnel HTTP > through IPSEC or VPN. However, since I'm using SecureNAT clients with ISA, > IPSEC isn't really viable. > > Would appreciate any feedback on this and to find out what the general > consensus of opinion is? > > Regards > Mylo > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Front-End/Back-End Topology - Ex2K
I'd be happier giving them a hotmail account than POP/IMAP.. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: 18 March 2002 16:35 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K Let's see - OWA = SSL POP/IMAP = doesn't happen on my network, but it it did, it would only be via VPN -- Roger D. Seielstad - MCSE Sr. Systems Administrator Peregrine Systems Atlanta, GA > -Original Message- > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:48 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > How do you guys secure exchange with OWA and POP/IMAP if you > don't put it in a DMZ? > > > Matt > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:44 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > There should be a rotating tag line appended to each message; > > "Exchange doesn't belong in the DMZ" > "PST=BAD" > "BLB=BAD" > > Etc > > -Original Message- > From: missy koslosky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:22 AM > To: Exchange Discussions > Subject: Re: Front-End/Back-End Topology - Ex2K > > > Go with your instincts. Keep it out of the DMZ. > > There's lots of history on this in the archives of this list. > > Missy > - Original Message - > From: "Myles, Damian" <[EMAIL PROTECTED]> > To: "Exchange Discussions" <[EMAIL PROTECTED]> > Sent: Monday, March 18, 2002 7:47 AM > Subject: Front-End/Back-End Topology - Ex2K > > > Posted this on the ISA forums a few days ago, but thought it > might be an idea to post for discussion. > > A while back I tested a FE/BE topology with the FE server > sitting on or DMZ, opening numerous ports on our interior > firewall to allow AD/GC lookups through etc. Now it comes to > actual putting these fruits of labour into practice in a > production environment, I'm far from convinced of the > rationale of placing a FE server on a DMZ, given the security > implications of doing so with regards the numerous open > ports. I'm more inclined to allow to publish the front-end > server (on our LAN) and allow remote users to connect through > HTTPS, secured behind ISA, acknowledging there is always a > risk putting Internet-accessed resources on a production LAN. > > Since this is a back-to-back firewall, the following ports > would need to be opened > > Exterior Firewall > - > 443/TCP HTTPS > 25/TCP SMTP > 993/TCP IMAPS > > Interior Firewall > - > 80/TCP HTTP > 143/TCP IMAP > 25/TCP SMTP > 389/TCP LDAP > 389/UDP LDAP > 3268/TCP > 88/TCP KERBEROS > 88/UDP KERBEROS > 53/TCP DNS > 53/UDP DNS > 135/TCP RPC > 445/TCP NETLOGON > > I know a lot of the above can be secured over SSL and RPC > limited to a single port (rather than anything above 1024), > and that I can tunnel HTTP through IPSEC or VPN. However, > since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. > > Would appreciate any feedback on this and to find out what > the general consensus of opinion is? > > Regards > Mylo > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] >
RE: Front-End/Back-End Topology - Ex2K
Let's see - OWA = SSL POP/IMAP = doesn't happen on my network, but it it did, it would only be via VPN -- Roger D. Seielstad - MCSE Sr. Systems Administrator Peregrine Systems Atlanta, GA > -Original Message- > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:48 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > How do you guys secure exchange with OWA and POP/IMAP if you > don't put it in a DMZ? > > > Matt > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 8:44 AM > To: Exchange Discussions > Subject: RE: Front-End/Back-End Topology - Ex2K > > > There should be a rotating tag line appended to each message; > > "Exchange doesn't belong in the DMZ" > "PST=BAD" > "BLB=BAD" > > Etc > > -Original Message----- > From: missy koslosky [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 5:22 AM > To: Exchange Discussions > Subject: Re: Front-End/Back-End Topology - Ex2K > > > Go with your instincts. Keep it out of the DMZ. > > There's lots of history on this in the archives of this list. > > Missy > - Original Message - > From: "Myles, Damian" <[EMAIL PROTECTED]> > To: "Exchange Discussions" <[EMAIL PROTECTED]> > Sent: Monday, March 18, 2002 7:47 AM > Subject: Front-End/Back-End Topology - Ex2K > > > Posted this on the ISA forums a few days ago, but thought it > might be an idea to post for discussion. > > A while back I tested a FE/BE topology with the FE server > sitting on or DMZ, opening numerous ports on our interior > firewall to allow AD/GC lookups through etc. Now it comes to > actual putting these fruits of labour into practice in a > production environment, I'm far from convinced of the > rationale of placing a FE server on a DMZ, given the security > implications of doing so with regards the numerous open > ports. I'm more inclined to allow to publish the front-end > server (on our LAN) and allow remote users to connect through > HTTPS, secured behind ISA, acknowledging there is always a > risk putting Internet-accessed resources on a production LAN. > > Since this is a back-to-back firewall, the following ports > would need to be opened > > Exterior Firewall > - > 443/TCP HTTPS > 25/TCP SMTP > 993/TCP IMAPS > > Interior Firewall > - > 80/TCP HTTP > 143/TCP IMAP > 25/TCP SMTP > 389/TCP LDAP > 389/UDP LDAP > 3268/TCP > 88/TCP KERBEROS > 88/UDP KERBEROS > 53/TCP DNS > 53/UDP DNS > 135/TCP RPC > 445/TCP NETLOGON > > I know a lot of the above can be secured over SSL and RPC > limited to a single port (rather than anything above 1024), > and that I can tunnel HTTP through IPSEC or VPN. However, > since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. > > Would appreciate any feedback on this and to find out what > the general consensus of opinion is? > > Regards > Mylo > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Front-End/Back-End Topology - Ex2K
Check out this article, to ferment further conversation >:) http://isaserver.org/shinder/tutorials/intradomain_communications.htm It looks at intra-domain communication through an ISA firewall.. anything that turns your firewall into a cullinder comes up short in my book :) Regards Mylo -Original Message- From: Woodrick, Ed [mailto:[EMAIL PROTECTED]] Sent: 18 March 2002 16:15 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K How would you expect to secure Exchange and put it in a DMZ? Let's say that you "secure" the box by putting it in the DMZ. This usually means that you've restricted port access to the server to the HTTPS port. Okay, fine. Now why isn't this same box secure if you put it inside the network and restrict the same ports? Well, you say, if the box's security is breached, you're still protected. Common response, but very incorrect. If your DMZ box gets breached, and a hacker is able to launch a script on the box, then let's see what they have access to. All other Exchange Servers and Domain Controllers at a minimum, and more than likely NetBIOS access to every machine on the network with 139 open. But let's say that you restricted it as much as possible. Then you only have access to Exchange Servers and Domain Controllers. Do you happen to see the problem here? Once you have access to the Domain Controllers, it really doesn't matter what else you have access to! So by putting an Exchange Server in the DMZ, you completely compromised the DMZ. BTW, the concept of the DMZ is a area in which connections enter, but do not exit. The original types of DMZ boxes were FTP servers. People from the inside would FTP to the server and drop off files, people on the outside would FTP to the server and pickup the files. At the point that you allow a connection to exit the DMZ, you have compromised the security of the DMZ. -Original Message- From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] Posted At: Monday, March 18, 2002 8:48 AM Posted To: Microsoft Exchange Conversation: Front-End/Back-End Topology - Ex2K Subject: RE: Front-End/Back-End Topology - Ex2K How do you guys secure exchange with OWA and POP/IMAP if you don't put it in a DMZ? Matt _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Front-End/Back-End Topology - Ex2K
SSL -Original Message- From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 5:48 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K How do you guys secure exchange with OWA and POP/IMAP if you don't put it in a DMZ? Matt -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 8:44 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K There should be a rotating tag line appended to each message; "Exchange doesn't belong in the DMZ" "PST=BAD" "BLB=BAD" Etc -Original Message- From: missy koslosky [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 5:22 AM To: Exchange Discussions Subject: Re: Front-End/Back-End Topology - Ex2K Go with your instincts. Keep it out of the DMZ. There's lots of history on this in the archives of this list. Missy - Original Message - From: "Myles, Damian" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Monday, March 18, 2002 7:47 AM Subject: Front-End/Back-End Topology - Ex2K Posted this on the ISA forums a few days ago, but thought it might be an idea to post for discussion. A while back I tested a FE/BE topology with the FE server sitting on or DMZ, opening numerous ports on our interior firewall to allow AD/GC lookups through etc. Now it comes to actual putting these fruits of labour into practice in a production environment, I'm far from convinced of the rationale of placing a FE server on a DMZ, given the security implications of doing so with regards the numerous open ports. I'm more inclined to allow to publish the front-end server (on our LAN) and allow remote users to connect through HTTPS, secured behind ISA, acknowledging there is always a risk putting Internet-accessed resources on a production LAN. Since this is a back-to-back firewall, the following ports would need to be opened Exterior Firewall - 443/TCP HTTPS 25/TCP SMTP 993/TCP IMAPS Interior Firewall - 80/TCP HTTP 143/TCP IMAP 25/TCP SMTP 389/TCP LDAP 389/UDP LDAP 3268/TCP 88/TCP KERBEROS 88/UDP KERBEROS 53/TCP DNS 53/UDP DNS 135/TCP RPC 445/TCP NETLOGON I know a lot of the above can be secured over SSL and RPC limited to a single port (rather than anything above 1024), and that I can tunnel HTTP through IPSEC or VPN. However, since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. Would appreciate any feedback on this and to find out what the general consensus of opinion is? Regards Mylo _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Front-End/Back-End Topology - Ex2K
How would you expect to secure Exchange and put it in a DMZ? Let's say that you "secure" the box by putting it in the DMZ. This usually means that you've restricted port access to the server to the HTTPS port. Okay, fine. Now why isn't this same box secure if you put it inside the network and restrict the same ports? Well, you say, if the box's security is breached, you're still protected. Common response, but very incorrect. If your DMZ box gets breached, and a hacker is able to launch a script on the box, then let's see what they have access to. All other Exchange Servers and Domain Controllers at a minimum, and more than likely NetBIOS access to every machine on the network with 139 open. But let's say that you restricted it as much as possible. Then you only have access to Exchange Servers and Domain Controllers. Do you happen to see the problem here? Once you have access to the Domain Controllers, it really doesn't matter what else you have access to! So by putting an Exchange Server in the DMZ, you completely compromised the DMZ. BTW, the concept of the DMZ is a area in which connections enter, but do not exit. The original types of DMZ boxes were FTP servers. People from the inside would FTP to the server and drop off files, people on the outside would FTP to the server and pickup the files. At the point that you allow a connection to exit the DMZ, you have compromised the security of the DMZ. -Original Message- From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] Posted At: Monday, March 18, 2002 8:48 AM Posted To: Microsoft Exchange Conversation: Front-End/Back-End Topology - Ex2K Subject: RE: Front-End/Back-End Topology - Ex2K How do you guys secure exchange with OWA and POP/IMAP if you don't put it in a DMZ? Matt _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Front-End/Back-End Topology - Ex2K
Secondary Authentication at the firewall Publish OWA on an ISA server in DMZ Simon -Original Message- From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] Sent: 18 March 2002 13:48 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K How do you guys secure exchange with OWA and POP/IMAP if you don't put it in a DMZ? Matt -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 8:44 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K There should be a rotating tag line appended to each message; "Exchange doesn't belong in the DMZ" "PST=BAD" "BLB=BAD" Etc -Original Message- From: missy koslosky [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 5:22 AM To: Exchange Discussions Subject: Re: Front-End/Back-End Topology - Ex2K Go with your instincts. Keep it out of the DMZ. There's lots of history on this in the archives of this list. Missy - Original Message - From: "Myles, Damian" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Monday, March 18, 2002 7:47 AM Subject: Front-End/Back-End Topology - Ex2K Posted this on the ISA forums a few days ago, but thought it might be an idea to post for discussion. A while back I tested a FE/BE topology with the FE server sitting on or DMZ, opening numerous ports on our interior firewall to allow AD/GC lookups through etc. Now it comes to actual putting these fruits of labour into practice in a production environment, I'm far from convinced of the rationale of placing a FE server on a DMZ, given the security implications of doing so with regards the numerous open ports. I'm more inclined to allow to publish the front-end server (on our LAN) and allow remote users to connect through HTTPS, secured behind ISA, acknowledging there is always a risk putting Internet-accessed resources on a production LAN. Since this is a back-to-back firewall, the following ports would need to be opened Exterior Firewall - 443/TCP HTTPS 25/TCP SMTP 993/TCP IMAPS Interior Firewall - 80/TCP HTTP 143/TCP IMAP 25/TCP SMTP 389/TCP LDAP 389/UDP LDAP 3268/TCP 88/TCP KERBEROS 88/UDP KERBEROS 53/TCP DNS 53/UDP DNS 135/TCP RPC 445/TCP NETLOGON I know a lot of the above can be secured over SSL and RPC limited to a single port (rather than anything above 1024), and that I can tunnel HTTP through IPSEC or VPN. However, since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. Would appreciate any feedback on this and to find out what the general consensus of opinion is? Regards Mylo _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] -- ** Internet communications cannot be guaranteed to be secure or error-free as their content could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of its internet transmission. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the [EMAIL PROTECTED] . Any opinions contained in this message are those of the author and are not given or endorsed by any entity or office through which this message has been sent unless otherwise clearly indicated in this message and the authority of the author to so bind Merrill Lynch HSBC Limited or any other company within its group is duly verified. Any email may be monitored in accordance with Merrill Lynch HSBC Limited's communication poli
RE: Front-End/Back-End Topology - Ex2K
Matt, Publishing everything behind the firewall and run inbound services over SSL. Mylo PS: Thanks for all the feedback. -Original Message- From: Matt Plahtinsky [mailto:[EMAIL PROTECTED]] Sent: 18 March 2002 14:48 To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K How do you guys secure exchange with OWA and POP/IMAP if you don't put it in a DMZ? Matt -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 8:44 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K There should be a rotating tag line appended to each message; "Exchange doesn't belong in the DMZ" "PST=BAD" "BLB=BAD" Etc -Original Message- From: missy koslosky [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 5:22 AM To: Exchange Discussions Subject: Re: Front-End/Back-End Topology - Ex2K Go with your instincts. Keep it out of the DMZ. There's lots of history on this in the archives of this list. Missy - Original Message - From: "Myles, Damian" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Monday, March 18, 2002 7:47 AM Subject: Front-End/Back-End Topology - Ex2K Posted this on the ISA forums a few days ago, but thought it might be an idea to post for discussion. A while back I tested a FE/BE topology with the FE server sitting on or DMZ, opening numerous ports on our interior firewall to allow AD/GC lookups through etc. Now it comes to actual putting these fruits of labour into practice in a production environment, I'm far from convinced of the rationale of placing a FE server on a DMZ, given the security implications of doing so with regards the numerous open ports. I'm more inclined to allow to publish the front-end server (on our LAN) and allow remote users to connect through HTTPS, secured behind ISA, acknowledging there is always a risk putting Internet-accessed resources on a production LAN. Since this is a back-to-back firewall, the following ports would need to be opened Exterior Firewall - 443/TCP HTTPS 25/TCP SMTP 993/TCP IMAPS Interior Firewall - 80/TCP HTTP 143/TCP IMAP 25/TCP SMTP 389/TCP LDAP 389/UDP LDAP 3268/TCP 88/TCP KERBEROS 88/UDP KERBEROS 53/TCP DNS 53/UDP DNS 135/TCP RPC 445/TCP NETLOGON I know a lot of the above can be secured over SSL and RPC limited to a single port (rather than anything above 1024), and that I can tunnel HTTP through IPSEC or VPN. However, since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. Would appreciate any feedback on this and to find out what the general consensus of opinion is? Regards Mylo _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Front-End/Back-End Topology - Ex2K
How do you guys secure exchange with OWA and POP/IMAP if you don't put it in a DMZ? Matt -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 8:44 AM To: Exchange Discussions Subject: RE: Front-End/Back-End Topology - Ex2K There should be a rotating tag line appended to each message; "Exchange doesn't belong in the DMZ" "PST=BAD" "BLB=BAD" Etc -Original Message- From: missy koslosky [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 5:22 AM To: Exchange Discussions Subject: Re: Front-End/Back-End Topology - Ex2K Go with your instincts. Keep it out of the DMZ. There's lots of history on this in the archives of this list. Missy - Original Message - From: "Myles, Damian" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Monday, March 18, 2002 7:47 AM Subject: Front-End/Back-End Topology - Ex2K Posted this on the ISA forums a few days ago, but thought it might be an idea to post for discussion. A while back I tested a FE/BE topology with the FE server sitting on or DMZ, opening numerous ports on our interior firewall to allow AD/GC lookups through etc. Now it comes to actual putting these fruits of labour into practice in a production environment, I'm far from convinced of the rationale of placing a FE server on a DMZ, given the security implications of doing so with regards the numerous open ports. I'm more inclined to allow to publish the front-end server (on our LAN) and allow remote users to connect through HTTPS, secured behind ISA, acknowledging there is always a risk putting Internet-accessed resources on a production LAN. Since this is a back-to-back firewall, the following ports would need to be opened Exterior Firewall - 443/TCP HTTPS 25/TCP SMTP 993/TCP IMAPS Interior Firewall - 80/TCP HTTP 143/TCP IMAP 25/TCP SMTP 389/TCP LDAP 389/UDP LDAP 3268/TCP 88/TCP KERBEROS 88/UDP KERBEROS 53/TCP DNS 53/UDP DNS 135/TCP RPC 445/TCP NETLOGON I know a lot of the above can be secured over SSL and RPC limited to a single port (rather than anything above 1024), and that I can tunnel HTTP through IPSEC or VPN. However, since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. Would appreciate any feedback on this and to find out what the general consensus of opinion is? Regards Mylo _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Front-End/Back-End Topology - Ex2K
There should be a rotating tag line appended to each message; "Exchange doesn't belong in the DMZ" "PST=BAD" "BLB=BAD" Etc -Original Message- From: missy koslosky [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 5:22 AM To: Exchange Discussions Subject: Re: Front-End/Back-End Topology - Ex2K Go with your instincts. Keep it out of the DMZ. There's lots of history on this in the archives of this list. Missy - Original Message - From: "Myles, Damian" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Monday, March 18, 2002 7:47 AM Subject: Front-End/Back-End Topology - Ex2K Posted this on the ISA forums a few days ago, but thought it might be an idea to post for discussion. A while back I tested a FE/BE topology with the FE server sitting on or DMZ, opening numerous ports on our interior firewall to allow AD/GC lookups through etc. Now it comes to actual putting these fruits of labour into practice in a production environment, I'm far from convinced of the rationale of placing a FE server on a DMZ, given the security implications of doing so with regards the numerous open ports. I'm more inclined to allow to publish the front-end server (on our LAN) and allow remote users to connect through HTTPS, secured behind ISA, acknowledging there is always a risk putting Internet-accessed resources on a production LAN. Since this is a back-to-back firewall, the following ports would need to be opened Exterior Firewall - 443/TCP HTTPS 25/TCP SMTP 993/TCP IMAPS Interior Firewall - 80/TCP HTTP 143/TCP IMAP 25/TCP SMTP 389/TCP LDAP 389/UDP LDAP 3268/TCP 88/TCP KERBEROS 88/UDP KERBEROS 53/TCP DNS 53/UDP DNS 135/TCP RPC 445/TCP NETLOGON I know a lot of the above can be secured over SSL and RPC limited to a single port (rather than anything above 1024), and that I can tunnel HTTP through IPSEC or VPN. However, since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. Would appreciate any feedback on this and to find out what the general consensus of opinion is? Regards Mylo _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: Front-End/Back-End Topology - Ex2K
Go with your instincts. Keep it out of the DMZ. There's lots of history on this in the archives of this list. Missy - Original Message - From: "Myles, Damian" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Monday, March 18, 2002 7:47 AM Subject: Front-End/Back-End Topology - Ex2K Posted this on the ISA forums a few days ago, but thought it might be an idea to post for discussion. A while back I tested a FE/BE topology with the FE server sitting on or DMZ, opening numerous ports on our interior firewall to allow AD/GC lookups through etc. Now it comes to actual putting these fruits of labour into practice in a production environment, I'm far from convinced of the rationale of placing a FE server on a DMZ, given the security implications of doing so with regards the numerous open ports. I'm more inclined to allow to publish the front-end server (on our LAN) and allow remote users to connect through HTTPS, secured behind ISA, acknowledging there is always a risk putting Internet-accessed resources on a production LAN. Since this is a back-to-back firewall, the following ports would need to be opened Exterior Firewall - 443/TCP HTTPS 25/TCP SMTP 993/TCP IMAPS Interior Firewall - 80/TCP HTTP 143/TCP IMAP 25/TCP SMTP 389/TCP LDAP 389/UDP LDAP 3268/TCP 88/TCP KERBEROS 88/UDP KERBEROS 53/TCP DNS 53/UDP DNS 135/TCP RPC 445/TCP NETLOGON I know a lot of the above can be secured over SSL and RPC limited to a single port (rather than anything above 1024), and that I can tunnel HTTP through IPSEC or VPN. However, since I'm using SecureNAT clients with ISA, IPSEC isn't really viable. Would appreciate any feedback on this and to find out what the general consensus of opinion is? Regards Mylo _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]