RE: OWA in DMZ
I have an almost identical config here - with the exception of NT4 for the OWA box (don't have much win2k expertise and currently don't run any Exchange stuff on it). Otherwise I do use a 1-way trust from the DMZ, and the port bindings for the DS and IS on the Exchange box are 1225 and 1226 respectively. Those 2 ports and the SMB stuff (137, 138, 139) along with 135 (for the RPC stuff) are opened in this config. Have you opened the ports to the entire trusted segment, or only to specific servers? In our world, the only thing in the DMZ right now is the OWA box - it's kind of dedicated to OWA only, so blowing a few holes into the trusted from there for OWA doesn't make me too nervous. But as more services are added in the DMZ I think I will serioulsy consider the advice of several others on this list and move the OWA server within the trusted (443 coming in) and seal up the DMZ again. That seems to be the message that I hear more and more. just my 2c. randy. -Original Message- From: Dikeman, Bo [SMTP:[EMAIL PROTECTED]] Sent: November 15, 2001 12:23 PM To: MS-Exchange Admin Issues Subject: OWA in DMZ Good Morning, Please forgive me if this question has already been answered, but I have searched high and low and still can't get things to click right. I am trying to get OWA to work in our DMZ, here is what I have: 1. Exchange 5.5 SP4 running on a W2k member server on the inside. 2. A WinNT 4.0 PDC on the same subnet with the Exchange server 3. A Cisco PIX w/DMZ card 4. A W2k DC (for the DMZ domain) w/OWA 5.5 SP4 in the DMZ There is a two-way trust between the domains for testing. This will eventually be a one-way trust where the DMZ domain trusts the production domain, but not vice versa. I have the following ports open for the OWA box: 53 TCP,UDP; 88 TCP, UDP; 123 TCP; 135 TCP; 389 TCP, UDP; 445 TCP; 3268 TCP; 137 UDP; 138 UDP; and 139 TCP. Oh, and 80. I opened all of these per Q articles that said to do so, but any of these that definitely do not need to be open please let me know. I have also bound NTDS on the w2k box to 1025 and that port (TCP and UDP) is open per Q280132. I have also bound the Exchange IS, DS, and SA to ports in the registry per q259240 and those three TCP ports open in the firewall. The clincher is everything works when the OWA box is on the inside. Once the OWA box is in the DMZ that is not the case. Whenever a user tries to log on to OWA in this situation, they get the hourglass for a couple of minutes and get the script time out error in IE. Also, I have seen a couple of Q articles recommending to set authentication to clear text in IIS, that is set. Any suggestions or any info that someone might need to make a suggestion, please, please fire in. Thanks a bunch, Bo Dikeman, MCSE Network Administrator NorthStar Communications Group, Inc. List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: OWA in DMZ
make sure W2K is using service pack 2. What ports are open on the firewall for access and what permissions are granted. I think ports 1025 and 1026 (not just 1025)higher need to be open because of RPC. I tend to stay away from this type of set up ,it is (my feeling) that it is less secure then inside with 443 only. Since you have a PIX use it to do a one-to-one NAT then only allow allow port 25 and 443 only. Two ports versus 14. just my two cents -Original Message-From: Dikeman, Bo [mailto:[EMAIL PROTECTED]]Sent: Thursday, November 15, 2001 11:23 AMTo: MS-Exchange Admin IssuesSubject: OWA in DMZ Good Morning, Please forgive me if this question has already been answered, but I have searchedhigh and low and still can't get things to click right. I am trying to get OWA to work in our DMZ, here is what I have: 1. Exchange 5.5 SP4 running on a W2k member server on the inside. 2. A WinNT 4.0 PDC on the same subnet with the Exchange server 3. A Cisco PIX w/DMZ card 4. A W2k DC (for the DMZ domain) w/OWA 5.5 SP4 in the DMZ There is a two-way trust between the domains for testing. This will eventually be a one-way trust where the DMZ domain trusts the production domain, but not vice versa. I have the following ports open for the OWA box: 53 TCP,UDP; 88 TCP, UDP; 123 TCP; 135 TCP; 389 TCP, UDP; 445 TCP; 3268 TCP; 137 UDP; 138 UDP; and 139 TCP. Oh, and 80. I opened all of these per Q articles that said to do so, butany of these that definitely do not need to be open please let me know.I have also bound NTDS on the w2k box to 1025 and that port (TCP and UDP) is open per Q280132. I have also bound the Exchange IS, DS, and SA to ports in the registry per q259240 and those three TCP ports open in the firewall. The clincher is everything workswhen the OWA box is on the inside. Once the OWA box is in the DMZ that is not the case. Whenever a user tries to log on to OWA in this situation, they get the hourglass for a couple of minutes and get the script time out error in IE. Also, I have seen a couple of Q articles recommending to set authentication to clear text in IIS, that is set. Any suggestions or any info that someone might need to make a suggestion, please, please fire in. Thanks a bunch, Bo Dikeman, MCSE Network Administrator NorthStar Communications Group, Inc. List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
Re: OWA in DMZ?
How do I get started setting this up? I've not worked with SSL and certificates before. Any detailed instructions or links would be appreciated. We're using NAT behind the firewall, so how do I route the requests to the internal box without exposing too much? Thanks - Original Message - From: Mark Kelsay [EMAIL PROTECTED] To: MS-Exchange Admin Issues [EMAIL PROTECTED] Sent: Thursday, October 25, 2001 3:09 PM Subject: RE: OWA in DMZ? This is what I do as well. Works great for me. -Original Message- From: Briggs, Bruce [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 3:09 PM To: MS-Exchange Admin Issues Subject: RE: OWA in DMZ? OWA on an internal box with SSL. You could use your existing internal OWA box, just install a certificate. Bruce Briggs System Administration State University of NY -Original Message- From: Dianne Roberts [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 2:49 PM To: MS-Exchange Admin Issues Subject: OWA in DMZ? Hi all. I'm new to the list, so apologize if this is a duplicate post. What's everyones opinions on an OWA 5.5 (NT4) box in the DMZ? Primary Exchange server is 5.5 (NT4) behind firewall (using NAT) and OWA is already installed on the same box for internal use. Need to make OWA available external. What is the best way? OWA in DMZ? OWA in DMZ with SSL? Use OWA on internal box? (how?) Tried to install OWA on a test DMZ box, but it failed because it wants a domain. My DMZ boxes are in a workgroup. Opinions, thoughts, suggestions? Thanks List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: OWA in DMZ?
NAT to the Exch box. Only allow port 443 if you are going to use SSL. As for installing the cert, I THINK verisign has a how to on their site. -Original Message- From: Dianne Roberts [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 7:17 AM To: MS-Exchange Admin Issues Subject: Re: OWA in DMZ? How do I get started setting this up? I've not worked with SSL and certificates before. Any detailed instructions or links would be appreciated. We're using NAT behind the firewall, so how do I route the requests to the internal box without exposing too much? Thanks - Original Message - From: Mark Kelsay [EMAIL PROTECTED] To: MS-Exchange Admin Issues [EMAIL PROTECTED] Sent: Thursday, October 25, 2001 3:09 PM Subject: RE: OWA in DMZ? This is what I do as well. Works great for me. -Original Message- From: Briggs, Bruce [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 3:09 PM To: MS-Exchange Admin Issues Subject: RE: OWA in DMZ? OWA on an internal box with SSL. You could use your existing internal OWA box, just install a certificate. Bruce Briggs System Administration State University of NY -Original Message- From: Dianne Roberts [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 2:49 PM To: MS-Exchange Admin Issues Subject: OWA in DMZ? Hi all. I'm new to the list, so apologize if this is a duplicate post. What's everyones opinions on an OWA 5.5 (NT4) box in the DMZ? Primary Exchange server is 5.5 (NT4) behind firewall (using NAT) and OWA is already installed on the same box for internal use. Need to make OWA available external. What is the best way? OWA in DMZ? OWA in DMZ with SSL? Use OWA on internal box? (how?) Tried to install OWA on a test DMZ box, but it failed because it wants a domain. My DMZ boxes are in a workgroup. Opinions, thoughts, suggestions? Thanks List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: OWA in DMZ?
Title: RE: OWA in DMZ? Albany. Not visited New Paltz campus in a while to check out the visual quality of campus life... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Thursday, October 25, 2001 4:35 PMTo: MS-Exchange Admin IssuesSubject: RE: OWA in DMZ? The physical location. I'm guessing by that answer, he must be at New Paltz. -Original Message- From: Briggs, Bruce [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 12:33 PM To: MS-Exchange Admin Issues Subject: RE: OWA in DMZ? System Admin - no cute students :-( -Original Message- From: Arnold, Jamie [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 3:13 PM To: MS-Exchange Admin Issues Subject: RE: OWA in DMZ? It's always those state workers!! Which State University of NY??? Jamie Binghamton University -Original Message- From: Briggs, Bruce [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 3:09 PM To: MS-Exchange Admin Issues Subject: RE: OWA in DMZ? OWA on an internal box with SSL. You could use your existing internal OWA box, just install a certificate. Bruce Briggs System Administration State University of NY -Original Message- From: Dianne Roberts [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 2:49 PM To: MS-Exchange Admin Issues Subject: OWA in DMZ? Hi all. I'm new to the list, so apologize if this is a duplicate post. What's everyones opinions on an OWA 5.5 (NT4) box in the DMZ? Primary Exchange server is 5.5 (NT4) behind firewall (using NAT) and OWA is already installed on the same box for internal use. Need to make OWA available external. What is the best way? OWA in DMZ? OWA in DMZ with SSL? Use OWA on internal box? (how?) Tried to install OWA on a test DMZ box, but it failed because it wants a domain. My DMZ boxes are in a workgroup. Opinions, thoughts, suggestions? Thanks List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: OWA in DMZ?
OWA on an internal box with SSL. You could use your existing internal OWA box, just install a certificate. Bruce Briggs System Administration State University of NY -Original Message- From: Dianne Roberts [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 2:49 PM To: MS-Exchange Admin Issues Subject: OWA in DMZ? Hi all. I'm new to the list, so apologize if this is a duplicate post. What's everyones opinions on an OWA 5.5 (NT4) box in the DMZ? Primary Exchange server is 5.5 (NT4) behind firewall (using NAT) and OWA is already installed on the same box for internal use. Need to make OWA available external. What is the best way? OWA in DMZ? OWA in DMZ with SSL? Use OWA on internal box? (how?) Tried to install OWA on a test DMZ box, but it failed because it wants a domain. My DMZ boxes are in a workgroup. Opinions, thoughts, suggestions? Thanks List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: OWA in DMZ?
It's always those state workers!! Which State University of NY??? Jamie Binghamton University -Original Message- From: Briggs, Bruce [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 3:09 PM To: MS-Exchange Admin Issues Subject: RE: OWA in DMZ? OWA on an internal box with SSL. You could use your existing internal OWA box, just install a certificate. Bruce Briggs System Administration State University of NY -Original Message- From: Dianne Roberts [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 2:49 PM To: MS-Exchange Admin Issues Subject: OWA in DMZ? Hi all. I'm new to the list, so apologize if this is a duplicate post. What's everyones opinions on an OWA 5.5 (NT4) box in the DMZ? Primary Exchange server is 5.5 (NT4) behind firewall (using NAT) and OWA is already installed on the same box for internal use. Need to make OWA available external. What is the best way? OWA in DMZ? OWA in DMZ with SSL? Use OWA on internal box? (how?) Tried to install OWA on a test DMZ box, but it failed because it wants a domain. My DMZ boxes are in a workgroup. Opinions, thoughts, suggestions? Thanks List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: OWA in DMZ?
I've always advocated putting the OWA box internal to your network. OWA accesses the exchange server using MAPI, therefor requiring several compromisable ports to be open. Depending on what else you use your DMZ for, this may not be acceptible. Others will say OWA internally is unacceptible. Definitely SSL. Port 443 only. Neither is 100% secure. Regards, William Lefkovics, MCSE, A+ -Original Message- From: Dianne Roberts [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 11:49 AM To: MS-Exchange Admin Issues Subject: OWA in DMZ? Hi all. I'm new to the list, so apologize if this is a duplicate post. What's everyones opinions on an OWA 5.5 (NT4) box in the DMZ? Primary Exchange server is 5.5 (NT4) behind firewall (using NAT) and OWA is already installed on the same box for internal use. Need to make OWA available external. What is the best way? OWA in DMZ? OWA in DMZ with SSL? Use OWA on internal box? (how?) Tried to install OWA on a test DMZ box, but it failed because it wants a domain. My DMZ boxes are in a workgroup. Opinions, thoughts, suggestions? Thanks List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: OWA in DMZ?
This is what I do as well. Works great for me. -Original Message- From: Briggs, Bruce [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 3:09 PM To: MS-Exchange Admin Issues Subject: RE: OWA in DMZ? OWA on an internal box with SSL. You could use your existing internal OWA box, just install a certificate. Bruce Briggs System Administration State University of NY -Original Message- From: Dianne Roberts [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 2:49 PM To: MS-Exchange Admin Issues Subject: OWA in DMZ? Hi all. I'm new to the list, so apologize if this is a duplicate post. What's everyones opinions on an OWA 5.5 (NT4) box in the DMZ? Primary Exchange server is 5.5 (NT4) behind firewall (using NAT) and OWA is already installed on the same box for internal use. Need to make OWA available external. What is the best way? OWA in DMZ? OWA in DMZ with SSL? Use OWA on internal box? (how?) Tried to install OWA on a test DMZ box, but it failed because it wants a domain. My DMZ boxes are in a workgroup. Opinions, thoughts, suggestions? Thanks List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
