I think the options for mailbox access:
1.VPN (most secure) 2.SSL to internal OWA 3.SSL to OWA in DMZ (secure enough, but forces you to allow directory authentication traffic through your firewall) 4.OWA in DMZ over port 80 (what are you, nuts?) 5.MAPI over Internet (suicidal) For SMTP traffic, what I would recommend is to deploy a relay host in your DMZ that also does SMTP virus scanning, preferrably from a different AV vendor than the one running internally on Exchange so you have two different engines scanning all incoming messages. Also configure your firewall so that the Internet can only do port 25 to your DMZ relay host and only that host can do port 25 to your internal host. Also add additional restrictions to the firewall that nobody but your relay host can make a port 25 to the Internet. Last thing you need is an internal bozo to stick an SMTP host in your DMZ and start spamming the Internet without your knowledge. Serdar Soysal -----Original Message----- From: Jon Butler [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 1:53 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp First rule: Don't ever let internet traffic talk directly to the heart of your network. Stick something in the DMZ, be it an SMTP relay or an OWA box, but never let 'em talk directly to your Exchange box. The real question behind determinig SMTP or OWA is (in my opinion) a question of functionality -- they both do two toally different things. If you want users to both send AND receive their email, you'll have to open POP3 in addition to SMTP ... also allowing account passwords to transmit in plain text. If you'd rather keep all the data sitting on the Exchange box, give the users the additional calendaring, etc. functionality, and encrypt authentication data -- but at the cost of not allowing users to work offline -- then OWA is the way to go. I recommend defining the needs, then making the decision based on that. > -----Original Message----- > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 1:26 PM > To: Exchange Discussions > Subject: lesser of the evils - ssl or smtp > > > Ok, I've got a couple of scenarios, which of them is the least risky? > > Exchange 2000 mailbox server on the LAN, accepting/making > connections using SMTP through a firewall to the internet > > Exchange 2000 mailbox server on the LAN, accepting SSL > secured OWA connections from the internet, again, protected > by a firewall. > > > Basically I am being told I may have to do both with the same > box, but I'd rather have the smtp traffic going through a DMZ > based gateway running McAfee Webshield, and let the OWA > clients come into the internal box over SSL (which I see as > less of a risk than opening up port 25. > > If you had to choose one of the 2 above scenarios, which would it be? > > Regards, > > Rob Ellis > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
