I've been thinking a lot about this, and decided to go with another approach. I'm going to create another network, connected to the Exchange server, and allow clients to VPN into that network. It doesn't have access to any other resources, and is empty except for OWA (for now anyway). And no front end server. Our load doesn't justify a front end server, and the security benefits don't seem large enough to justify the expense.
But the IPSec idea is a good one. And, as I remember, you can place a lot of restrictions on IPSec. Thanks for the suggestions, Erick > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Fyodorov, > Andrey > Sent: Wednesday, September 17, 2003 6:30 AM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > IPSec is a nice idea too. But you need to test test test. > > Sincerely, > > Andrey Fyodorov > Systems Engineer > Messaging and Collaboration > Spherion > > > -----Original Message----- > From: Leeann McCallum [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 16, 2003 7:32 PM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > You could throw an OWA front end server in the DMZ, put certificate on > as Ed > suggests, and then wrap everything up in an IPSEC packet that goes > between > the front end and backend. Between the client on the net and > the front > end, > you would use SSL, so just open 443. > > > > -----Original Message----- > From: Erick Thompson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 17 September 2003 11:29 a.m. > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > Ed, > > I'm a little confused. You're recommending that I put in a front end > server, > but not in the DMZ? It seems to me that I might have to open > a bunch of > ports, but if the front end server is in the LAN, all ports are by > default > open. > > Just to clarify, I have one Exchange server which lives on my LAN, and > there > is an SMTP server in my DMZ that relays messages to the > Exchange server. > At > the moment, I don't have any other Exchange servers running. > > Thanks, > Erick > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Ed Crowley > > Sent: Tuesday, September 16, 2003 4:25 PM > > To: Exchange Discussions > > Subject: Re: OWA front end server - licensing and security > > > > > > Instal a certificate on the front-end server and open > > port 443 to the front-end server. Putting a front-end > > server in a DMZ requires you to open lots of dangerous > > ports through the internal firewall to the Exchange > > servers, DCs and GCs. > > > > Ed > > > > --- Erick Thompson <[EMAIL PROTECTED]> wrote: > > > I'm setting up OWA in my organization, and I have > > > two choices. I can set up Exchange on the web server > > > (in the DMZ), and specify it as a front end server, > > > or I can open port 80 to the primary Exchange > > > server. From a security standpoint, I really like > > > the first option, but I'm thinking that I need a > > > second Exchange Enterprise license. Am I correct in > > > this? > > > > > > Am I being too paranoid about opening port 80 > > > through to the internal Exchange server? I've never > > > liked the idea of raw traffic entering my LAN.... > > > > > > Thanks, > > > Erick > > > > > > > > _________________________________________________________________ > > > List posting FAQ: > > > http://www.swinc.com/resource/exch_faq.htm > > > Web Interface: > > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang=english > > To unsubscribe: > > mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=& lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] ######################################################################## ##### Notice: This e-mail message is only intended to be read by the named recipient. It may contain information which is confidential, proprietary or the subject of legal privilege. If you are not the intended recipient please notify the sender immediately and delete this e-mail. You may not use any information contained in it. Legal privilege is not waived because you have read this e-mail. For further information on the Beca Group of Companies, visit our web page http://www.beca.co.nz ######################################################################## ##### _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
