Ed Crowley [MVP] wrote: > I would submit that you're safer allowing SSL HTTP OWA only > through the > firewall than you'll be by opeing the myriad ports you need > to open to make > OWA work in the DMZ. Get the KB that lists all the ports, > show it to the > firewall guy, and if he has any sense, he'll agree with you.
Thanks for your reply, Ed. And, Ed, I completely agree with you! There are already several webservers in the DMZ, however, that require most of those ports open to the internal network already, so the precedent is already set. The firewall guy, and the Network Security Manager, also have a policy that will not allow a hole in both the external and internal firewall that allows outside connections directly to a machine on the internal network. All outside connections must be first to a machine in the DMZ, and that machine can then connect to machines on the internal network. Of course, my main MTA is already an exception, since it's on the internal network, and we have to allow SMTP connections to it. But, the security guys say we use "hide addresses" so outside connections don't really know what the IP of the internal machine is. Larry Wahlers _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
