RE: E2k3 Security Question
HI Kurt Your instincts were correct. You definitely don't want your FE/CAS servers in the DMZ. Kind Regards Peter Johnson I.T Architect United Kingdom:+44 1285 65842 South Africa: +27 11 252 1100 Swaziland: +268 442 7000 Fax:+27 11 974 7130 Mobile: +2783 306 0019 peter.john...@peterstow.com This email message (including attachments) contains information which may be confidential and/or legally privileged. Unless you are the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message or from any attachments that were sent with this email, and If you have received this email message in error, please advise the sender by email, and delete the message. Unauthorised disclosure and/or use of information contained in this email may result in civil and criminal liability. Everything in this e-mail and attachments relating to the official business of Peterstow Aquapower is proprietary to the company. Caution should be observed in placing any reliance upon any information contained in this e-mail, which is not intended to be a representation or inducement to make any decision in relation to Peterstow Aquapower. Any decision taken based on the information provided in this e-mail, should only be made after consultation with appropriate legal, regulatory, tax, technical, business, investment, financial, and accounting advisors. Neither the sender of the e-mail, nor Peterstow Aquapower shall be liable to any party for any direct, indirect or consequential damages, including, without limitation, loss of profit, interruption of business or loss of information, data or software or otherwise. The e-mail address of the sender may not be used, copied, sold, disclosed or incorporated into any database or mailing list for spamming and/or other marketing purposes without the prior consent of Peterstow Aquapower. No warranties are created or implied that an employee of Peterstow Aquapower and/or a contractor of Peterstow Aquapower is authorized to create and send this e-mail. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: 08 November 2009 23:29 To: MS-Exchange Admin Issues Subject: Re: E2k3 Security Question Yeah, that's a different thing than putting an FE in the DMZ. I'll ask him to reconsider his recommendation - we've had preliminary discussions regarding this, but the final report isn't ready to be presented to management. I can live with introducing ISA into our environment, preferably in the DMZ, but was really uncomfortable with the idea of an Exchange server in the DMZ. Kurt On Sun, Nov 8, 2009 at 10:12, Peter Johnson wrote: > Microsoft's recommendation has always been to put the Front end server/CAS > role directly into your network behind the firewall rather than in the DMZ. > The reasoning behind this is related to how many holes you have to punch in > the internal firewall to allow RPC access from the FE/CAS roles to the DC"s. > > If you place the FE/CAS servers inside the internal network you only need to > open one hole in your internal firewall namely 443. Of course MS recommend > putting it behind an ISA server with FBA turned on. > > I've always run my Exchange Servers this way and have never had a security > guy call me on it. > > > > Kind Regards > Peter Johnson > I.T Architect > United Kingdom:+44 1285 65842 > South Africa: +27 11 252 1100 > Swaziland: +268 442 7000 > Fax:+27 11 974 7130 > Mobile: +2783 306 0019 > peter.john...@peterstow.com > > This email message (including attachments) contains information which may be > confidential and/or legally privileged. Unless you are the intended > recipient, you may not use, copy or disclose to anyone the message or any > information contained in the message or from any attachments that were sent > with this email, and If you have received this email message in error, please > advise the sender by email, and delete the message. Unauthorised disclosure > and/or use of information contained in this email may result in civil and > criminal liability. Everything in this e-mail and attachments relating to the > official business of Peterstow Aquapower is proprietary to the company. > > Caution should be observed in placing any reliance upon any information > contained in this e-mail, which is not intended to be a representation or > inducement to make any decision in relation to Peterstow Aquapower. Any > decision taken based on the information provided in this e-mail, should only > be made after consultation with appropriate legal, regulatory, tax, > technical, business, investment, financial, and accounting advisors. Neither > the sender of the e-mail, nor Peterstow Aquapower shall be liable to any > party for any direct, indirect or consequential damag
RE: E2k3 Security Question
ISA Server can certainly be configured to allow ActiveSync traffic in. As has been mentioned already, I think an ISA Server in the DMZ front-ending your Exchange Server is the most secure solution you can have for allowing webmail, et al in to your Exchange environment. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Sunday, November 08, 2009 2:55 PM To: MS-Exchange Admin Issues Subject: Re: E2k3 Security Question Can you tell me more about the 'reverse proxy in front of OWA' and 'internet facing edge appliances'? Does they support ActiveSynch devices, or does they break them? I ask, because I have a couple of iPhone users who I can't deny at the moment - one is our new CEO - because I think to didn't turn off ActiveSynch on their accounts when I set them up, and now I have to live with it until I get a policy approved. However, if they increase security, and are approved, but break ActiveSynch, I won't cry. I want them to move to Blackberry's anyway. Kurt On Sun, Nov 8, 2009 at 11:45, Don Andrews wrote: > Our basic plan is, no direct internet connection to a server on the internal > network. We use internet facing edge appliances in tier 1 DMZ then content > filtering in tier 2, then Exchange on internal network. Reverse proxy in > front of OWA (this is E2K3). I expect E2K7 to be similar. > > I realize this may not work for everyone but it is our model. > > - > Sent from my BlackBerry Wireless Handheld > > - Original Message - > From: Peter Johnson > To: MS-Exchange Admin Issues > Sent: Sun Nov 08 11:12:04 2009 > Subject: RE: E2k3 Security Question > > Microsoft's recommendation has always been to put the Front end server/CAS > role directly into your network behind the firewall rather than in the DMZ. > The reasoning behind this is related to how many holes you have to punch in > the internal firewall to allow RPC access from the FE/CAS roles to the DC"s. > > If you place the FE/CAS servers inside the internal network you only need to > open one hole in your internal firewall namely 443. Of course MS recommend > putting it behind an ISA server with FBA turned on. > > I've always run my Exchange Servers this way and have never had a security > guy call me on it. > > > > Kind Regards > Peter Johnson > I.T Architect > United Kingdom:+44 1285 65842 > South Africa: +27 11 252 1100 > Swaziland: +268 442 7000 > Fax:+27 11 974 7130 > Mobile: +2783 306 0019 > peter.john...@peterstow.com > > This email message (including attachments) contains information which may be > confidential and/or legally privileged. Unless you are the intended > recipient, you may not use, copy or disclose to anyone the message or any > information contained in the message or from any attachments that were sent > with this email, and If you have received this email message in error, please > advise the sender by email, and delete the message. Unauthorised disclosure > and/or use of information contained in this email may result in civil and > criminal liability. Everything in this e-mail and attachments relating to the > official business of Peterstow Aquapower is proprietary to the company. > > Caution should be observed in placing any reliance upon any information > contained in this e-mail, which is not intended to be a representation or > inducement to make any decision in relation to Peterstow Aquapower. Any > decision taken based on the information provided in this e-mail, should only > be made after consultation with appropriate legal, regulatory, tax, > technical, business, investment, financial, and accounting advisors. Neither > the sender of the e-mail, nor Peterstow Aquapower shall be liable to any > party for any direct, indirect or consequential damages, including, without > limitation, loss of profit, interruption of business or loss of information, > data or software or otherwise. > > The e-mail address of the sender may not be used, copied, sold, disclosed or > incorporated into any database or mailing list for spamming and/or other > marketing purposes without the prior consent of Peterstow Aquapower. > > No warranties are created or implied that an employee of Peterstow Aquapower > and/or a contractor of Peterstow Aquapower is authorized to create and send > this e-mail. > -Original Message- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: 08 November 2009 19:42 > To: MS-Exchange Admin Issues > Subject: E2k3 Security Question > > All, > > We've got a consultant in-house doing an infrastructure review. One of > the things he's recommending for security reasons is that instead of &
Re: E2k3 Security Question
Yeah, that's a different thing than putting an FE in the DMZ. I'll ask him to reconsider his recommendation - we've had preliminary discussions regarding this, but the final report isn't ready to be presented to management. I can live with introducing ISA into our environment, preferably in the DMZ, but was really uncomfortable with the idea of an Exchange server in the DMZ. Kurt On Sun, Nov 8, 2009 at 10:12, Peter Johnson wrote: > Microsoft's recommendation has always been to put the Front end server/CAS > role directly into your network behind the firewall rather than in the DMZ. > The reasoning behind this is related to how many holes you have to punch in > the internal firewall to allow RPC access from the FE/CAS roles to the DC"s. > > If you place the FE/CAS servers inside the internal network you only need to > open one hole in your internal firewall namely 443. Of course MS recommend > putting it behind an ISA server with FBA turned on. > > I've always run my Exchange Servers this way and have never had a security > guy call me on it. > > > > Kind Regards > Peter Johnson > I.T Architect > United Kingdom:+44 1285 65842 > South Africa: +27 11 252 1100 > Swaziland: +268 442 7000 > Fax:+27 11 974 7130 > Mobile: +2783 306 0019 > peter.john...@peterstow.com > > This email message (including attachments) contains information which may be > confidential and/or legally privileged. Unless you are the intended > recipient, you may not use, copy or disclose to anyone the message or any > information contained in the message or from any attachments that were sent > with this email, and If you have received this email message in error, please > advise the sender by email, and delete the message. Unauthorised disclosure > and/or use of information contained in this email may result in civil and > criminal liability. Everything in this e-mail and attachments relating to the > official business of Peterstow Aquapower is proprietary to the company. > > Caution should be observed in placing any reliance upon any information > contained in this e-mail, which is not intended to be a representation or > inducement to make any decision in relation to Peterstow Aquapower. Any > decision taken based on the information provided in this e-mail, should only > be made after consultation with appropriate legal, regulatory, tax, > technical, business, investment, financial, and accounting advisors. Neither > the sender of the e-mail, nor Peterstow Aquapower shall be liable to any > party for any direct, indirect or consequential damages, including, without > limitation, loss of profit, interruption of business or loss of information, > data or software or otherwise. > > The e-mail address of the sender may not be used, copied, sold, disclosed or > incorporated into any database or mailing list for spamming and/or other > marketing purposes without the prior consent of Peterstow Aquapower. > > No warranties are created or implied that an employee of Peterstow Aquapower > and/or a contractor of Peterstow Aquapower is authorized to create and send > this e-mail. > -Original Message- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: 08 November 2009 19:42 > To: MS-Exchange Admin Issues > Subject: E2k3 Security Question > > All, > > We've got a consultant in-house doing an infrastructure review. One of > the things he's recommending for security reasons is that instead of > doing SSL direct to our single Exchange servers on our production > LANs, we should put front-end servers into our DMZ. > > I tend to believe that direct SSL (for OWA or RPC/HTTPS) is no less > secure than a front-end in a DMZ, but I do confess ignorance, and > would like to know more, and have ammunition one way or the other > before getting bent out of shape. > > Where can I find some documents regarding the relative security of > these two approaches, and evaluate this for myself before agreeing or > disagreeing with him on this? > > I've been cruising the history of this list, and doing some googling, > but can't see a direct discussion of this topic. > > Thanks, > > Kurt > >
Re: E2k3 Security Question
Gotcha. We currently have a pair of Sidewinders in HA configuration, and for many things are using a SonicWall 2000 SSL VPN appliance, which can proxy OWA, but that's not required by our setup currently. The SonicWall doesn't do two-factor auth, but does require a local login for auth before presenting the SSL VPN 'bookmarks', so that would break ActiveSynch and RPC. I think the Sidewinders might be capable of proxying the SSL traffic and applying an appropriate set of protections, but that's beyond my level of education for them. Kurt On Sun, Nov 8, 2009 at 12:26, Don Andrews wrote: > We are using the Neoteris (Juniper?) Reverse proxy w/2 factor authentication > for OWA. I believe it does break direct access by OWA/OMA/active sync - we > use Blackberry. > > The appliances neither beak nor support activesync - they only support SMTP. > The firewall rules break it. > > - > Sent from my BlackBerry Wireless Handheld > > - Original Message - > From: Kurt Buff > To: MS-Exchange Admin Issues > Sent: Sun Nov 08 12:54:36 2009 > Subject: Re: E2k3 Security Question > > Can you tell me more about the 'reverse proxy in front of OWA' and > 'internet facing edge appliances'? Does they support ActiveSynch > devices, or does they break them? > > I ask, because I have a couple of iPhone users who I can't deny at the > moment - one is our new CEO - because I think to didn't turn off > ActiveSynch on their accounts when I set them up, and now I have to > live with it until I get a policy approved. However, if they increase > security, and are approved, but break ActiveSynch, I won't cry. I want > them to move to Blackberry's anyway. > > Kurt > > On Sun, Nov 8, 2009 at 11:45, Don Andrews wrote: >> Our basic plan is, no direct internet connection to a server on the internal >> network. We use internet facing edge appliances in tier 1 DMZ then content >> filtering in tier 2, then Exchange on internal network. Reverse proxy in >> front of OWA (this is E2K3). I expect E2K7 to be similar. >> >> I realize this may not work for everyone but it is our model. >> >> --------- >> Sent from my BlackBerry Wireless Handheld >> >> - Original Message - >> From: Peter Johnson >> To: MS-Exchange Admin Issues >> Sent: Sun Nov 08 11:12:04 2009 >> Subject: RE: E2k3 Security Question >> >> Microsoft's recommendation has always been to put the Front end server/CAS >> role directly into your network behind the firewall rather than in the DMZ. >> The reasoning behind this is related to how many holes you have to punch in >> the internal firewall to allow RPC access from the FE/CAS roles to the DC"s. >> >> If you place the FE/CAS servers inside the internal network you only need to >> open one hole in your internal firewall namely 443. Of course MS recommend >> putting it behind an ISA server with FBA turned on. >> >> I've always run my Exchange Servers this way and have never had a security >> guy call me on it. >> >> >> >> Kind Regards >> Peter Johnson >> I.T Architect >> United Kingdom:+44 1285 65842 >> South Africa: +27 11 252 1100 >> Swaziland: +268 442 7000 >> Fax:+27 11 974 7130 >> Mobile: +2783 306 0019 >> peter.john...@peterstow.com >> >> This email message (including attachments) contains information which may be >> confidential and/or legally privileged. Unless you are the intended >> recipient, you may not use, copy or disclose to anyone the message or any >> information contained in the message or from any attachments that were sent >> with this email, and If you have received this email message in error, >> please advise the sender by email, and delete the message. Unauthorised >> disclosure and/or use of information contained in this email may result in >> civil and criminal liability. Everything in this e-mail and attachments >> relating to the official business of Peterstow Aquapower is proprietary to >> the company. >> >> Caution should be observed in placing any reliance upon any information >> contained in this e-mail, which is not intended to be a representation or >> inducement to make any decision in relation to Peterstow Aquapower. Any >> decision taken based on the information provided in this e-mail, should only >> be made after consultation with appropriate legal, regulatory, tax, >> technical, business, investment, financial, and accounting advisors. Neither >> the sender of the e-mail, nor Pete
Re: E2k3 Security Question
We are using the Neoteris (Juniper?) Reverse proxy w/2 factor authentication for OWA. I believe it does break direct access by OWA/OMA/active sync - we use Blackberry. The appliances neither beak nor support activesync - they only support SMTP. The firewall rules break it. - Sent from my BlackBerry Wireless Handheld - Original Message - From: Kurt Buff To: MS-Exchange Admin Issues Sent: Sun Nov 08 12:54:36 2009 Subject: Re: E2k3 Security Question Can you tell me more about the 'reverse proxy in front of OWA' and 'internet facing edge appliances'? Does they support ActiveSynch devices, or does they break them? I ask, because I have a couple of iPhone users who I can't deny at the moment - one is our new CEO - because I think to didn't turn off ActiveSynch on their accounts when I set them up, and now I have to live with it until I get a policy approved. However, if they increase security, and are approved, but break ActiveSynch, I won't cry. I want them to move to Blackberry's anyway. Kurt On Sun, Nov 8, 2009 at 11:45, Don Andrews wrote: > Our basic plan is, no direct internet connection to a server on the internal > network. We use internet facing edge appliances in tier 1 DMZ then content > filtering in tier 2, then Exchange on internal network. Reverse proxy in > front of OWA (this is E2K3). I expect E2K7 to be similar. > > I realize this may not work for everyone but it is our model. > > - > Sent from my BlackBerry Wireless Handheld > > - Original Message - > From: Peter Johnson > To: MS-Exchange Admin Issues > Sent: Sun Nov 08 11:12:04 2009 > Subject: RE: E2k3 Security Question > > Microsoft's recommendation has always been to put the Front end server/CAS > role directly into your network behind the firewall rather than in the DMZ. > The reasoning behind this is related to how many holes you have to punch in > the internal firewall to allow RPC access from the FE/CAS roles to the DC"s. > > If you place the FE/CAS servers inside the internal network you only need to > open one hole in your internal firewall namely 443. Of course MS recommend > putting it behind an ISA server with FBA turned on. > > I've always run my Exchange Servers this way and have never had a security > guy call me on it. > > > > Kind Regards > Peter Johnson > I.T Architect > United Kingdom:+44 1285 65842 > South Africa: +27 11 252 1100 > Swaziland: +268 442 7000 > Fax:+27 11 974 7130 > Mobile: +2783 306 0019 > peter.john...@peterstow.com > > This email message (including attachments) contains information which may be > confidential and/or legally privileged. Unless you are the intended > recipient, you may not use, copy or disclose to anyone the message or any > information contained in the message or from any attachments that were sent > with this email, and If you have received this email message in error, please > advise the sender by email, and delete the message. Unauthorised disclosure > and/or use of information contained in this email may result in civil and > criminal liability. Everything in this e-mail and attachments relating to the > official business of Peterstow Aquapower is proprietary to the company. > > Caution should be observed in placing any reliance upon any information > contained in this e-mail, which is not intended to be a representation or > inducement to make any decision in relation to Peterstow Aquapower. Any > decision taken based on the information provided in this e-mail, should only > be made after consultation with appropriate legal, regulatory, tax, > technical, business, investment, financial, and accounting advisors. Neither > the sender of the e-mail, nor Peterstow Aquapower shall be liable to any > party for any direct, indirect or consequential damages, including, without > limitation, loss of profit, interruption of business or loss of information, > data or software or otherwise. > > The e-mail address of the sender may not be used, copied, sold, disclosed or > incorporated into any database or mailing list for spamming and/or other > marketing purposes without the prior consent of Peterstow Aquapower. > > No warranties are created or implied that an employee of Peterstow Aquapower > and/or a contractor of Peterstow Aquapower is authorized to create and send > this e-mail. > -Original Message- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: 08 November 2009 19:42 > To: MS-Exchange Admin Issues > Subject: E2k3 Security Question > > All, > > We've got a consultant in-house doing an infrastructure review. One of > the things he's recommending for securi
Re: E2k3 Security Question
Can you tell me more about the 'reverse proxy in front of OWA' and 'internet facing edge appliances'? Does they support ActiveSynch devices, or does they break them? I ask, because I have a couple of iPhone users who I can't deny at the moment - one is our new CEO - because I think to didn't turn off ActiveSynch on their accounts when I set them up, and now I have to live with it until I get a policy approved. However, if they increase security, and are approved, but break ActiveSynch, I won't cry. I want them to move to Blackberry's anyway. Kurt On Sun, Nov 8, 2009 at 11:45, Don Andrews wrote: > Our basic plan is, no direct internet connection to a server on the internal > network. We use internet facing edge appliances in tier 1 DMZ then content > filtering in tier 2, then Exchange on internal network. Reverse proxy in > front of OWA (this is E2K3). I expect E2K7 to be similar. > > I realize this may not work for everyone but it is our model. > > - > Sent from my BlackBerry Wireless Handheld > > - Original Message - > From: Peter Johnson > To: MS-Exchange Admin Issues > Sent: Sun Nov 08 11:12:04 2009 > Subject: RE: E2k3 Security Question > > Microsoft's recommendation has always been to put the Front end server/CAS > role directly into your network behind the firewall rather than in the DMZ. > The reasoning behind this is related to how many holes you have to punch in > the internal firewall to allow RPC access from the FE/CAS roles to the DC"s. > > If you place the FE/CAS servers inside the internal network you only need to > open one hole in your internal firewall namely 443. Of course MS recommend > putting it behind an ISA server with FBA turned on. > > I've always run my Exchange Servers this way and have never had a security > guy call me on it. > > > > Kind Regards > Peter Johnson > I.T Architect > United Kingdom:+44 1285 65842 > South Africa: +27 11 252 1100 > Swaziland: +268 442 7000 > Fax:+27 11 974 7130 > Mobile: +2783 306 0019 > peter.john...@peterstow.com > > This email message (including attachments) contains information which may be > confidential and/or legally privileged. Unless you are the intended > recipient, you may not use, copy or disclose to anyone the message or any > information contained in the message or from any attachments that were sent > with this email, and If you have received this email message in error, please > advise the sender by email, and delete the message. Unauthorised disclosure > and/or use of information contained in this email may result in civil and > criminal liability. Everything in this e-mail and attachments relating to the > official business of Peterstow Aquapower is proprietary to the company. > > Caution should be observed in placing any reliance upon any information > contained in this e-mail, which is not intended to be a representation or > inducement to make any decision in relation to Peterstow Aquapower. Any > decision taken based on the information provided in this e-mail, should only > be made after consultation with appropriate legal, regulatory, tax, > technical, business, investment, financial, and accounting advisors. Neither > the sender of the e-mail, nor Peterstow Aquapower shall be liable to any > party for any direct, indirect or consequential damages, including, without > limitation, loss of profit, interruption of business or loss of information, > data or software or otherwise. > > The e-mail address of the sender may not be used, copied, sold, disclosed or > incorporated into any database or mailing list for spamming and/or other > marketing purposes without the prior consent of Peterstow Aquapower. > > No warranties are created or implied that an employee of Peterstow Aquapower > and/or a contractor of Peterstow Aquapower is authorized to create and send > this e-mail. > -Original Message- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: 08 November 2009 19:42 > To: MS-Exchange Admin Issues > Subject: E2k3 Security Question > > All, > > We've got a consultant in-house doing an infrastructure review. One of > the things he's recommending for security reasons is that instead of > doing SSL direct to our single Exchange servers on our production > LANs, we should put front-end servers into our DMZ. > > I tend to believe that direct SSL (for OWA or RPC/HTTPS) is no less > secure than a front-end in a DMZ, but I do confess ignorance, and > would like to know more, and have ammunition one way or the other > before getting bent out of shape. > > Where can I find some documents regarding the relative security of > these two approaches, and evaluate this for myself before agreeing or > disagreeing with him on this? > > I've been cruising the history of this list, and doing some googling, > but can't see a direct discussion of this topic. > > Thanks, > > Kurt > >
Re: E2k3 Security Question
Our basic plan is, no direct internet connection to a server on the internal network. We use internet facing edge appliances in tier 1 DMZ then content filtering in tier 2, then Exchange on internal network. Reverse proxy in front of OWA (this is E2K3). I expect E2K7 to be similar. I realize this may not work for everyone but it is our model. - Sent from my BlackBerry Wireless Handheld - Original Message - From: Peter Johnson To: MS-Exchange Admin Issues Sent: Sun Nov 08 11:12:04 2009 Subject: RE: E2k3 Security Question Microsoft's recommendation has always been to put the Front end server/CAS role directly into your network behind the firewall rather than in the DMZ. The reasoning behind this is related to how many holes you have to punch in the internal firewall to allow RPC access from the FE/CAS roles to the DC"s. If you place the FE/CAS servers inside the internal network you only need to open one hole in your internal firewall namely 443. Of course MS recommend putting it behind an ISA server with FBA turned on. I've always run my Exchange Servers this way and have never had a security guy call me on it. Kind Regards Peter Johnson I.T Architect United Kingdom:+44 1285 65842 South Africa: +27 11 252 1100 Swaziland: +268 442 7000 Fax:+27 11 974 7130 Mobile: +2783 306 0019 peter.john...@peterstow.com This email message (including attachments) contains information which may be confidential and/or legally privileged. Unless you are the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message or from any attachments that were sent with this email, and If you have received this email message in error, please advise the sender by email, and delete the message. Unauthorised disclosure and/or use of information contained in this email may result in civil and criminal liability. Everything in this e-mail and attachments relating to the official business of Peterstow Aquapower is proprietary to the company. Caution should be observed in placing any reliance upon any information contained in this e-mail, which is not intended to be a representation or inducement to make any decision in relation to Peterstow Aquapower. Any decision taken based on the information provided in this e-mail, should only be made after consultation with appropriate legal, regulatory, tax, technical, business, investment, financial, and accounting advisors. Neither the sender of the e-mail, nor Peterstow Aquapower shall be liable to any party for any direct, indirect or consequential damages, including, without limitation, loss of profit, interruption of business or loss of information, data or software or otherwise. The e-mail address of the sender may not be used, copied, sold, disclosed or incorporated into any database or mailing list for spamming and/or other marketing purposes without the prior consent of Peterstow Aquapower. No warranties are created or implied that an employee of Peterstow Aquapower and/or a contractor of Peterstow Aquapower is authorized to create and send this e-mail. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: 08 November 2009 19:42 To: MS-Exchange Admin Issues Subject: E2k3 Security Question All, We've got a consultant in-house doing an infrastructure review. One of the things he's recommending for security reasons is that instead of doing SSL direct to our single Exchange servers on our production LANs, we should put front-end servers into our DMZ. I tend to believe that direct SSL (for OWA or RPC/HTTPS) is no less secure than a front-end in a DMZ, but I do confess ignorance, and would like to know more, and have ammunition one way or the other before getting bent out of shape. Where can I find some documents regarding the relative security of these two approaches, and evaluate this for myself before agreeing or disagreeing with him on this? I've been cruising the history of this list, and doing some googling, but can't see a direct discussion of this topic. Thanks, Kurt
Re: E2k3 Security Question
Thanks for this. I had just found your blog entry in the list archives mere moments ago, after more searching. I'll take this in hand to the meetings we're having, and push back on it. Kurt On Sun, Nov 8, 2009 at 10:24, Simon Butler wrote: > That consultant needs to be asked how putting a frontend server improved the > security of your network. > When you get the answer, please post back, because no one has given me a good > reason why. I ask everyone the same question when they ask how to do it, and > no one can answer it. > > I can give you plenty of reasons why it is a bad idea though. > > http://blog.sembee.co.uk/archive/2006/02/23/7.aspx > > If a consultant made that recommendation to me, I would be showing them the > door. It does nothing to improve the security of the network. > > Now if they are proposing an ISA server, that is a different matter > altogether, as that will improve the security and I have many clients, > particularly in financial services who are using that combination. ISA is > designed to go in a DMZ - Exchange is not. > > I shall await someone to post the instructions from Microsoft about how to > configure Exchange to go in to a DMZ, as that is usually what happens when > this question is posted and I answer in this way. > The simple response, is that while MS may provide the instructions, it > doesn't mean it is a good idea. They produced the instructions due to > customer demand, almost certainly from the sort of people who believe, or > were told, that putting Exchange in to the DMZ somehow makes it more secure. > > It should be noted that with Exchange 2007, only Edge is supported in a DMZ, > no other role is. Microsoft removed the uncertainty on purpose. > > Simon. > > > > -- > Simon Butler > MVP: Exchange, MCSE > Sembee Ltd. > > e: si...@sembee.co.uk > w: http://www.sembee.co.uk/ > w: http://www.amset.info/ > w: http://blog.sembee.co.uk/ > > Need cheap certificates for Exchange, compatible with Windows Mobile 5.0? > http://CertificatesForExchange.com/ for certificates from just $23.99. > Need a domain for your certificate? http://DomainsForExchange.net/ > > > > > > -Original Message- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: 08 November 2009 17:42 > To: MS-Exchange Admin Issues > Subject: E2k3 Security Question > > All, > > We've got a consultant in-house doing an infrastructure review. One of > the things he's recommending for security reasons is that instead of > doing SSL direct to our single Exchange servers on our production > LANs, we should put front-end servers into our DMZ. > > I tend to believe that direct SSL (for OWA or RPC/HTTPS) is no less > secure than a front-end in a DMZ, but I do confess ignorance, and > would like to know more, and have ammunition one way or the other > before getting bent out of shape. > > Where can I find some documents regarding the relative security of > these two approaches, and evaluate this for myself before agreeing or > disagreeing with him on this? > > I've been cruising the history of this list, and doing some googling, > but can't see a direct discussion of this topic. > > Thanks, > > Kurt > >
RE: E2k3 Security Question
That consultant needs to be asked how putting a frontend server improved the security of your network. When you get the answer, please post back, because no one has given me a good reason why. I ask everyone the same question when they ask how to do it, and no one can answer it. I can give you plenty of reasons why it is a bad idea though. http://blog.sembee.co.uk/archive/2006/02/23/7.aspx If a consultant made that recommendation to me, I would be showing them the door. It does nothing to improve the security of the network. Now if they are proposing an ISA server, that is a different matter altogether, as that will improve the security and I have many clients, particularly in financial services who are using that combination. ISA is designed to go in a DMZ - Exchange is not. I shall await someone to post the instructions from Microsoft about how to configure Exchange to go in to a DMZ, as that is usually what happens when this question is posted and I answer in this way. The simple response, is that while MS may provide the instructions, it doesn't mean it is a good idea. They produced the instructions due to customer demand, almost certainly from the sort of people who believe, or were told, that putting Exchange in to the DMZ somehow makes it more secure. It should be noted that with Exchange 2007, only Edge is supported in a DMZ, no other role is. Microsoft removed the uncertainty on purpose. Simon. -- Simon Butler MVP: Exchange, MCSE Sembee Ltd. e: si...@sembee.co.uk w: http://www.sembee.co.uk/ w: http://www.amset.info/ w: http://blog.sembee.co.uk/ Need cheap certificates for Exchange, compatible with Windows Mobile 5.0? http://CertificatesForExchange.com/ for certificates from just $23.99. Need a domain for your certificate? http://DomainsForExchange.net/ -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: 08 November 2009 17:42 To: MS-Exchange Admin Issues Subject: E2k3 Security Question All, We've got a consultant in-house doing an infrastructure review. One of the things he's recommending for security reasons is that instead of doing SSL direct to our single Exchange servers on our production LANs, we should put front-end servers into our DMZ. I tend to believe that direct SSL (for OWA or RPC/HTTPS) is no less secure than a front-end in a DMZ, but I do confess ignorance, and would like to know more, and have ammunition one way or the other before getting bent out of shape. Where can I find some documents regarding the relative security of these two approaches, and evaluate this for myself before agreeing or disagreeing with him on this? I've been cruising the history of this list, and doing some googling, but can't see a direct discussion of this topic. Thanks, Kurt
RE: E2k3 Security Question
Microsoft's recommendation has always been to put the Front end server/CAS role directly into your network behind the firewall rather than in the DMZ. The reasoning behind this is related to how many holes you have to punch in the internal firewall to allow RPC access from the FE/CAS roles to the DC"s. If you place the FE/CAS servers inside the internal network you only need to open one hole in your internal firewall namely 443. Of course MS recommend putting it behind an ISA server with FBA turned on. I've always run my Exchange Servers this way and have never had a security guy call me on it. Kind Regards Peter Johnson I.T Architect United Kingdom:+44 1285 65842 South Africa: +27 11 252 1100 Swaziland: +268 442 7000 Fax:+27 11 974 7130 Mobile: +2783 306 0019 peter.john...@peterstow.com This email message (including attachments) contains information which may be confidential and/or legally privileged. Unless you are the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message or from any attachments that were sent with this email, and If you have received this email message in error, please advise the sender by email, and delete the message. Unauthorised disclosure and/or use of information contained in this email may result in civil and criminal liability. Everything in this e-mail and attachments relating to the official business of Peterstow Aquapower is proprietary to the company. Caution should be observed in placing any reliance upon any information contained in this e-mail, which is not intended to be a representation or inducement to make any decision in relation to Peterstow Aquapower. Any decision taken based on the information provided in this e-mail, should only be made after consultation with appropriate legal, regulatory, tax, technical, business, investment, financial, and accounting advisors. Neither the sender of the e-mail, nor Peterstow Aquapower shall be liable to any party for any direct, indirect or consequential damages, including, without limitation, loss of profit, interruption of business or loss of information, data or software or otherwise. The e-mail address of the sender may not be used, copied, sold, disclosed or incorporated into any database or mailing list for spamming and/or other marketing purposes without the prior consent of Peterstow Aquapower. No warranties are created or implied that an employee of Peterstow Aquapower and/or a contractor of Peterstow Aquapower is authorized to create and send this e-mail. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: 08 November 2009 19:42 To: MS-Exchange Admin Issues Subject: E2k3 Security Question All, We've got a consultant in-house doing an infrastructure review. One of the things he's recommending for security reasons is that instead of doing SSL direct to our single Exchange servers on our production LANs, we should put front-end servers into our DMZ. I tend to believe that direct SSL (for OWA or RPC/HTTPS) is no less secure than a front-end in a DMZ, but I do confess ignorance, and would like to know more, and have ammunition one way or the other before getting bent out of shape. Where can I find some documents regarding the relative security of these two approaches, and evaluate this for myself before agreeing or disagreeing with him on this? I've been cruising the history of this list, and doing some googling, but can't see a direct discussion of this topic. Thanks, Kurt