That's definitely accurate. In general most companies use an HTTP to HTTPS redirect so that their users can simply enter in http://mail.company.com and then they are automatically redirected to https://mail.company.com/exchange/etc/whatever/cooltechnology
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evan Mann Sent: Wednesday, September 06, 2006 8:44 AM To: Exchange Discussions Subject: RE: OWA Pros & Cons ISA does let you control what URL's you pass when web publishing, which can be done for OWA. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Cunningham Sent: Tuesday, September 05, 2006 9:53 PM To: Exchange Discussions Subject: RE: OWA Pros & Cons Hey Andy, I thought with ISA you could control what URLs you would proxy on behalf of your FE (or any web server). i.e. https://servername/exchange/* is OK but if someone used https://servername it would not be passed to the FE (or web server) or am I way off the mark? I had the impression that ISA had some abilites like http://www.eeye.com/html/products/secureiis/index.html Regarding RPC over HTTPS, I think I know what you are meaning: using exchange cached mode and RPC over https gives you superior functionality to "old" outlook offline Regarding VPN, for us there is no additonal expense, but I can see your point, and it just depends how paranoid you are. We have a threat protection system in front of our firewall as well.....:-) Additionally for us, a VPN means "an encrypted channel whose ports are controlled by a firewall" to others a VPN means "an encrypted channel where all ports are open" Cheers Dean -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Blevins Sent: Wednesday, 6 September 2006 12:30 To: Exchange Discussions Subject: RE: OWA Pros & Cons ISA 2004 is actually an advanced firewall and secure proxy. The proxy portion is important to understand for those that are security minded like Dean. Inbound connections for OWA and RPC/HTTPS Outlook do not "pass-through" ISA 2004 on their way to the internal network. Instead ISA 2004 accepts the connection on its external NIC, and creates an entirely separate "proxied" connection on its Internally facing NIC with the Front-End exchange server. All of the SSL encryption overhead can then be offloaded to the ISA box, thus reducing the CPU load on your FE server. HTTPS is for encryption, ISA is for security. Dean is right on the money. Some people like to have: external firewall<----->ISA 2004<------->Internal Network and exchange Other's do Internet<------>ISA 2004<------->Internal network Although I'm sure you already have a second advanced firewall in addition to ISA, so the first configuration would be your best bet. In addition, make sure not to confuse RPC/HTTPS with Outlook in Offline mode. The two couldn't be further apart. RPC/HTTPS allows for a live, fully functional, encrypted and secure (via ISA) connection into your mailbox in the same way that Outlook does sitting in the office. Its biggest draw is that it does so without the added expense and administrative overhead of a VPN solution. Now, you may use VPN for other software solutions, but rest assured that you do not need it for your mobile laptop users if you have Exchange 2003, Outlook 2003, and ISA 2004. 10 bucks says this thread turns into an awesome security discussion! :-P -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Cunningham Sent: Tuesday, September 05, 2006 8:14 PM To: Exchange Discussions Subject: RE: OWA Pros & Cons Security 101 If a port open to all == security risk https provides encryption, that is all. >From a hacking perspective whether it is http, https or RPC over https is irrelevant, they are all as insecure as the other, in principle. They all use IIS, so any exploit for IIS means the server you are running IIS on is open to unknown exploits and known ones if you don't keep up to date with your security patches :-) One good use of using a FE exchange server is that you can take this down and apply a patch without taking down the mailstore people ae using. One advantage of ISA2k4 (as I understand it, I don't use it)is that you can publish the URLs that you will allow to the exchange server, and control the type of "queries" hackers could use. This reduces your risk profile. Should you want to reduce it even further , then some form of two factor authentication (RSA,Aladdin,secureword token) integrated with ISA would provide you with the "maximum" Additionally, if you want to provide security for any and all conversations between a remote client and your network, then some form of VPN would be advisable. In my case I use a firewall with RSA tokens. Any client that wants access must install a VPN client on their machine and currently the only access is via terminal services and activesync. I also don't have to worry about certificates rather than just limiting them to OWa we give them their whole environment. It just means they have to be connected to use it. The advantage of Ed's "https over RPC" is that the sales people can compose and reply to messages offline, thus improving convenience and internet access costs (if paying by the hour) also if the sales people have low bandwidth then using terminal services or OWA can be painful (really need broadband) HTH Dean -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Henry Sent: Wednesday, 6 September 2006 04:52 To: Exchange Discussions Subject: OWA Pros & Cons Up until now, I have simply co-delivered mail for temporary "On the Road" Access. I have looked over OWA, to me it seems, it's not worth the effort. Well, I have a salesman who has believe the sales pitch they have received concerning a PDA, that can work with OWA. Beyond that, most of these people have laptops with VPN into our domain. So it's huge waste for such little benefits being duplicated. But I am falling prey to convenience of web access to solve "lack of planning" issues. But my problem is it's getting into the realm of what are my risks (security or otherwise) for such benefits? What are my setup options to make this as secure as possible? Has anyone been hacked through their OWA? Is there a definitive web page on all the reasons not to use OWA? ( My viewpoint is being questioned. No one will remember, I told them not to do this, if/when we fall prey to the Microsoft's Security Competency. ) We run E2K3 on W2K3 server, with a ISA2K4 on another W2K3 server for access setup. Regards, Michael ********************************************************************** Have you clicked on yet? www.nrc.govt.nz ********************************************************************** NORTHLAND REGIONAL COUNCIL This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify [EMAIL PROTECTED] ********************************************************************** _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. ********************************************************************** Have you clicked on yet? www.nrc.govt.nz ********************************************************************** NORTHLAND REGIONAL COUNCIL This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify [EMAIL PROTECTED] ********************************************************************** _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
