We have set up our OWA to require two-factor authentication (SecurID) which eliminates any key-logging concerns but this system is not cheap at approx $300 AU ($160 US) per user.
The upside is that you can use the same system to authenticate all of your remote access users (dial-up, VPN, etc) and this is the function that really allows me to sleep well at night. I guess that it all depends on how many people are going to require this functionality and of course, your budget..... Greg -----Original Message----- From: Erick Thompson [mailto:[EMAIL PROTECTED] Sent: Thursday, 18 September 2003 10:07 AM To: Exchange Discussions Subject: RE: OWA front end server - licensing and security We talked about this exact scenario. We decided that given how easy it is to install a key logger, and other malware, on public systems we decided it was too risky. We are planning on using public folders quite heavily with data that we can't risk getting out. Same with the address books. We are trying to figure out a way to give people access to email only from a public terminal. No public folders or address books. If you have any suggestions, that would be great. Erick > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Ed Crowley > Sent: Wednesday, September 17, 2003 4:40 PM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > ISA is a better solution in a DMZ because it doesn't > require the plethora of holes in the internal > firewall. > > http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/prodtechnol/isa/deploy/isaexch.asp > > Requiring VPN (your other message) is a good idea, > however, you may be coming back to ISA or some other > idea when your users demand to be able to get e-mail > from a coffeehouse kiosk terminal. > > Ed > > --- Erick Thompson <[EMAIL PROTECTED]> wrote: > > I have to admit to being a little confused, how > > would ISA help, aside from being a proxy? Which > > isn't nothing, but I'm wondering if I'm missing > > something else. > > > > Thanks, > > Erick > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] > > Behalf Of Webb, Andy > > > Sent: Wednesday, September 17, 2003 7:04 AM > > > To: Exchange Discussions > > > Subject: RE: OWA front end server - licensing and > > security > > > > > > > > > Don't forget you also have to fully protect the > > front end server from > > > all the other servers on the DMZ from which it is > > not isolated. > > > > > > Those other systems may have been placed on the > > DMZ in an > > > insecure state > > > with the thought that if anyone broke them, they > > would be > > > isolated from > > > the internal LAN. What happens when you put the > > FE in the DMZ is you > > > break that theory. The DMZ is no longer isolated > > from the LAN. > > > > > > You definitely have to secure the FE, but once you > > have, why > > > not put it > > > inside where it is not at risk from questionable > > systems on the DMZ? > > > > > > Better to put an ISA server in the DMZ as was > > suggested earlier. > > > > > > Regarding IPSEC, Exchange 2003 explicitly states > > that IPSEC is now > > > supported between front end and back end. So if > > you upgrade, that's > > > perhaps an option. Though a lesser one than using > > ISA imho. > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On > > Behalf Of Leeann > > > McCallum > > > Sent: Tuesday, September 16, 2003 6:32 PM > > > To: Exchange Discussions > > > Subject: RE: OWA front end server - licensing and > > security > > > > > > You could throw an OWA front end server in the > > DMZ, put certificate on > > > as Ed suggests, and then wrap everything up in an > > IPSEC > > > packet that goes > > > between the front end and backend. Between the > > client on the net and > > > the front end, you would use SSL, so just open > > 443. > > > > > > > > > > > > -----Original Message----- > > > From: Erick Thompson [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, 17 September 2003 11:29 a.m. > > > To: Exchange Discussions > > > Subject: RE: OWA front end server - licensing and > > security > > > > > > > > > Ed, > > > > > > I'm a little confused. You're recommending that I > > put in a front end > > > server, but not in the DMZ? It seems to me that I > > might have to open a > > > bunch of ports, but if the front end server is in > > the LAN, > > > all ports are > > > by default open. > > > > > > Just to clarify, I have one Exchange server which > > lives on my LAN, and > > > there is an SMTP server in my DMZ that relays > > messages to the Exchange > > > server. At the moment, I don't have any other > > Exchange > > > servers running. > > > > > > Thanks, > > > Erick > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] > > Behalf Of Ed Crowley > > > > Sent: Tuesday, September 16, 2003 4:25 PM > > > > To: Exchange Discussions > > > > Subject: Re: OWA front end server - licensing > > and security > > > > > > > > > > > > Instal a certificate on the front-end server and > > open port > > > 443 to the > > > > front-end server. Putting a front-end server in > > a DMZ > > > requires you to > > > > > > > open lots of dangerous ports through the > > internal firewall to the > > > > Exchange servers, DCs and GCs. > > > > > > > > Ed > > > > > > > > --- Erick Thompson <[EMAIL PROTECTED]> wrote: > > > > > I'm setting up OWA in my organization, and I > > have two > > > choices. I can > > > > > > > > set up Exchange on the web server (in the > > DMZ), and > > > specify it as a > > > > > front end server, or I can open port 80 to the > > primary Exchange > > > > > server. From a security standpoint, I really > > like the > > > first option, > > > > > but I'm thinking that I need a second Exchange > > Enterprise > > > license. > > > > > Am I correct in this? > > > > > > > > > > Am I being too paranoid about opening port 80 > > through to the > > > > > internal Exchange server? I've never liked the > > idea of > > > raw traffic > > > > > entering my LAN.... > > > > > > > > > > Thanks, > > > > > Erick > > > > > > > > > > > > > > > > > _________________________________________________________________ > > > > > List posting FAQ: > > > > > http://www.swinc.com/resource/exch_faq.htm > > > > > Web Interface: > > > > > > > > > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > ext_mode=&lang=english > > > > To unsubscribe: > > > > mailto:[EMAIL PROTECTED] > > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > __________________________________ > > > Do you Yahoo!? > > > Yahoo! SiteBuilder - Free, easy-to-use web site > > design software > > > http://sitebuilder.yahoo.com > > > > > > > > > _________________________________________________________________ > > > List posting FAQ: > > http://www.swinc.com/resource/exch_faq.htm > > > Web Interface: > > > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > ext_mode=& > > lang > > =english > > To unsubscribe: > > mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > > _________________________________________________________________ > > List posting FAQ: > > http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=& > lang > =english > To unsubscribe: > mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > === message truncated === __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
