You can use ISA. It's not that hard to set up and works well. Added bonus for those with the need is the ability to add RSA authentication to the ISA server. Users must use a key fob to authenticate before they even get to the OWA boxes. You can also use another type of proxy server (Squid for instance) to proxy the connection from the DMZ.
-----Original Message----- From: Bailey, Matthew [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:28 AM To: Exchange Discussions Subject: RE: OWA Design Question If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -----Original Message----- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF "Using Microsoft Exchange 2000 Front-End Servers" trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange Servers....I know, I know not very secure.....The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server).... My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.....belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -----Original Message----- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff > -----Original Message----- > From: McBee, Jim [mailto:[EMAIL PROTECTED] > Sent: Monday, August 11, 2003 5:18 PM > To: Exchange Discussions > Subject: RE: Exchange 2003 OWA segmentation feature > > > Hee hee hee.... > I think I have that book somewhere... > > Actually, the settings have changed between E2K and E2K3. I think > there are a few more things you can turn on/off in E2K3. > Unfortunately, no one seems to know what the settings are. > > Thanks, > Jim > > -----Original Message----- > From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, > August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List > Conversation: Exchange 2003 OWA segmentation feature > Subject: Re: Exchange 2003 OWA segmentation feature > > > > Yes it's a registry key that is set. When set affects all users of > that domain however you can also set for an individual that will > overide the system setting. 1024 is for all folders to show up. I have > the settings at work but are also available on MS's site via > http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you > need the exact settings they are in the book Exchange 24/7 by Jm McBee > > From: "McBee, Jim" <[EMAIL PROTECTED]> > Reply-To: "Exchange Discussions" <[EMAIL PROTECTED]> > To: "Exchange Discussions" <[EMAIL PROTECTED]> > Subject: Exchange 2003 OWA segmentation feature > Date: Mon, 11 Aug 2003 11:01:25 -1000 > > Hi everyone: > I'm looking for some information on a feature in Exchange 2003 > and I have used up all of my ideas on how to find out more info. It > was called OWA segmentation in Exchange 2000 and was introduced in > Exchange 2000 SP2. It allowed you to turn off public folders, the > calendar, contacts, etc.. for certain users. This was either a > registry key or an attribute you had to add to the W2K AD. However, > it is included in E2K3's schema extensions. > > However, I cannot find ANY information on the actual values. It > is essentially a bit mask, but I can't figure out what the bits mean. > Below is the only text I have been able to find on it, and this was in > the release notes. The schema attribute name is: > msExchMailboxFolderSet > > I have a customer that is using this in E2K and we are building a > 'proof-of-concept' lab for E2K3 and we cannot get this to work. It is > driving me crazy and I'm almost thinking I need to open up a PSS > incident just to get the documentation on this feature. I was hoping > you might be able to find more documentation on this. > > Any ideas? > > Thanks, > > Jim McBee > > > Per-user Feature Segmentation in Outlook Web Access May Require > Modification of User Object to Use All Features Outlook Web Access > allows you to enable specific sets of features on a server or for > individual users. For example, you can enable only Calendar and > Messaging. To set this feature segmentation per user, you modify the > msExchMailboxFolderSet attribute on the User object in Active > Directory. > The value of this attribute determines which features are available to > the user. > > In Exchange 2000, the decimal value for enabling all features on a > per-user basis was 1023 (or 0x3FF in hexadecimal). In Exchange 2003, > the value has changed. The new decimal value is 4294967295 (0xFFFFFFFF > in hexadecimal). If you had previously enabled all features using > feature segmentation, you will need to update the value of the > msExchMailboxFolderSet attribute on the user object to this new value. > If you do not update this value, users may not be able to use all the > Outlook Web Access features. > > > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
