Alex Hague wrote:
>
> Why not have an SSL Relay & Reverse Proxy on a DMZ, and then on your
> internal network have an Outlook Web Access Server and an Exchange server.
> Let SSL through your firewall only to your SSL Relay.
This works just fine, but there is one small problem that usually
proves to be a huge problem in organizations with many
users. (Why do users always have to screw up our good ideas?) --
how do you authenticate to the reverse proxy?
Or, rather, from where does the reverse proxy get its user database?
Of course, you could just skip authentication at the reverse
proxy and let the OWA handle that, but if that's the case, I don't
really see the point? As I pointed out in some other thread,
the problem here isn't really HTTP headers, so I'm not sure how
much more security the proxy will buy if we don't use it to
sort out the bad guys before letting people on to the OWA.
Hmmm... A dim voice in the back of my head just said "SecurID".
Hey, that could almost work -- having the luser read a string
of digits from their token rather than having them remember
another password isn't all that bad :-)
Then there's just the matter of getting the proxy to talk to
the SecurID server... If there is one.
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
