AM I right that an ISA followed by a Front End that talk to the Back End server it not really more secure than only the ISA publishing the BackEnd ?
I mean that once the Front End is compromise, it has open connection on several important ports to the back end, then give the Hacker the way through the internal network. JF BTW they talk about IPSEC between the FE and BackEnd... It's not from Sniffing I'm afraid, it's from a Hacker having access (Admin) to the Frond end... Then that hacker will go through the encrypted tunnel :-) MS answered me that on DirectAccess : I think you are confusing the function of an FE server with a firewall server, such as ISA. Using ISA is not a replacement for an FE server, per se. You could use ISA and nothing but a BE server, but then all OWA requests will go through port 443 on ISA directly to port 443 on your BE server. This means if some sort of HTTP-based attack gets by ISA it will hit your BE server. So if you want additional security, use both ISA and an FE server. Open 443 on ISA and send it to the FE server. If an HTTP-based attack hits, it will only affect your FE server. If you use auditing and monitor the FE server carefully, you may be able to stop any attacker before they would be able to compromise other servers. Then, use IPSec between the FE and BE server to encrypt the entire path of the traffic. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony Sollars Sent: Tuesday, January 20, 2004 2:39 PM To: Exchange Discussions Subject: RE: EX2003 OWA Front End or ISA Publishing for security Why open port 80? All you need is 443 for exchange OWA -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erick Thompson Sent: Tuesday, January 20, 2004 11:28 AM To: Exchange Discussions Subject: RE: EX2003 OWA Front End or ISA Publishing for security When this is done, is this "enough" security? I'm looking at setting up OWA, and trying to figure out the best security setup. Money is a huge issue (non-profit org), so I'm looking at 1) Open port 80 to internal Exchange system 2) Open port 443 (SSL) to internal Exchange system 3) Set up a front end server 4) Use ISA publishing Where/how should/could a VPN fit into this? Any other issues I should think about? Thanks, Erick > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > Anthony Sollars > Sent: Tuesday, January 20, 2004 10:58 AM > To: Exchange Discussions > Subject: RE: EX2003 OWA Front End or ISA Publishing for security > > > Yes it sure is, this is the MS best practice. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ken > Cornetet > Sent: Tuesday, January 20, 2004 10:34 AM > To: Exchange Discussions > Subject: RE: EX2003 OWA Front End or ISA Publishing for security > > Yes, publishing OWA through ISA server (standalone, not part of a > domain) is more secure than using a FE server. Last I checked, this is > actually what Microsoft recommends. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Jean-Francois Bourdeau > Sent: Tuesday, January 20, 2004 1:04 PM > To: Exchange Discussions > Subject: EX2003 OWA Front End or ISA Publishing for security > > > Hi > > I would like to know that most of you think about using ISA to Publish > OWA 2003 instead of having a Front End Server ? > > If we don't have a lot of user and that the only reason we > won't a Front > End is for security, I try to convince my customer to user > the ISA they > have. > > IF a Front End Server is compromise and a hacker have access to it, do > you agree with me that because that front end server talk to the back > end exchange, it's making life easy for the hacker to access the > internal exchange and internal network ? > > Web Publishing through ISA is a lot more secure I think ? > > Thanks > > JF > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
