That's not entirely true. Having a proxy in front of the actual web server (in this case OWA) allows you to do some more fine grained control over URL's, so you can filter exactly what URLs the remote users can actually request.
The fact that the data from the proxy to the OWA server is not encrypted means that my IDS technologies see the entire transaction. Allowing SSL to the actual OWA box means that you can't see anything. In fact, I doubt that a host based IDS could see anything. Using a front end/back end configuration does provide some advantages, however. Separating OWA onto another box gives you the ability to patch it more often than your back end might need, without really disrupting users. We're planning on moving our separate OWA and connector servers to be FE's in our E2k3 deployment, with a proxy in front of the FE running OWA. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Jean-Francois Bourdeau [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 3:07 PM > To: Exchange Discussions > Subject: RE: EX2003 OWA Front End or ISA Publishing for security > > > > AM I right that an ISA followed by a Front End that talk to > the Back End > server it not really more secure than only the ISA publishing the > BackEnd ? > > I mean that once the Front End is compromise, it has open > connection on > several important ports to the back end, then give the Hacker the way > through the internal network. > > > > JF > BTW they talk about IPSEC between the FE and BackEnd... It's not from > Sniffing I'm afraid, it's from a Hacker having access (Admin) to the > Frond end... Then that hacker will go through the encrypted tunnel :-) > > MS answered me that on DirectAccess : > > I think you are confusing the function of an FE server with a firewall > server, such as ISA. Using ISA is not a replacement for an FE server, > per > se. You could use ISA and nothing but a BE server, but then all OWA > requests will go through port 443 on ISA directly to port 443 > on your BE > server. This means if some sort of HTTP-based attack gets by ISA it > will > hit your BE server. So if you want additional security, use both ISA > and an > FE server. Open 443 on ISA and send it to the FE server. If an > HTTP-based > attack hits, it will only affect your FE server. If you use auditing > and > monitor the FE server carefully, you may be able to stop any attacker > before > they would be able to compromise other servers. Then, use > IPSec between > the > FE and BE server to encrypt the entire path of the traffic. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anthony Sollars > Sent: Tuesday, January 20, 2004 2:39 PM > To: Exchange Discussions > Subject: RE: EX2003 OWA Front End or ISA Publishing for security > > Why open port 80? All you need is 443 for exchange OWA > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Erick > Thompson > Sent: Tuesday, January 20, 2004 11:28 AM > To: Exchange Discussions > Subject: RE: EX2003 OWA Front End or ISA Publishing for security > > When this is done, is this "enough" security? I'm looking at > setting up > OWA, > and trying to figure out the best security setup. Money is a > huge issue > (non-profit org), so I'm looking at > > 1) Open port 80 to internal Exchange system > 2) Open port 443 (SSL) to internal Exchange system > 3) Set up a front end server > 4) Use ISA publishing > > Where/how should/could a VPN fit into this? Any other issues I should > think > about? > > Thanks, > Erick > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of > > Anthony Sollars > > Sent: Tuesday, January 20, 2004 10:58 AM > > To: Exchange Discussions > > Subject: RE: EX2003 OWA Front End or ISA Publishing for security > > > > > > Yes it sure is, this is the MS best practice. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > Behalf Of Ken > > Cornetet > > Sent: Tuesday, January 20, 2004 10:34 AM > > To: Exchange Discussions > > Subject: RE: EX2003 OWA Front End or ISA Publishing for security > > > > Yes, publishing OWA through ISA server (standalone, not part of a > > domain) is more secure than using a FE server. Last I > checked, this is > > actually what Microsoft recommends. > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Jean-Francois Bourdeau > > Sent: Tuesday, January 20, 2004 1:04 PM > > To: Exchange Discussions > > Subject: EX2003 OWA Front End or ISA Publishing for security > > > > > > Hi > > > > I would like to know that most of you think about using ISA > to Publish > > OWA 2003 instead of having a Front End Server ? > > > > If we don't have a lot of user and that the only reason we > > won't a Front > > End is for security, I try to convince my customer to user > > the ISA they > > have. > > > > IF a Front End Server is compromise and a hacker have > access to it, do > > you agree with me that because that front end server talk > to the back > > end exchange, it's making life easy for the hacker to access the > > internal exchange and internal network ? > > > > Web Publishing through ISA is a lot more secure I think ? > > > > Thanks > > > > JF > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
