Mike Olsson wrote:
>This works just fine, but there is one small problem that usually
>proves to be a huge problem in organizations with many
>users. (Why do users always have to screw up our good ideas?) --
>how do you authenticate to the reverse proxy?
You don't need to authenticate to the reverse proxy as OWA will do all the
authentication using NTLM. In the event that a buffer overflow vunerability
exists in one of the OWA pages you will still need to be authenticated to
execute the vunerability, thus only your users could execute it....
I fail to see the problem that you're getting at... any vunerabilities in
OWA can only be executed by an authenticated user... this then becomes an
issue of password security etc
Cheers,
Alex
Mike Olsson's Original message in full:
------------------------------------------------------------------------
Alex Hague wrote:
>
>Why not have an SSL Relay & Reverse Proxy on a DMZ, and then on your
>internal network have an Outlook Web Access Server and an Exchange server.
>Let SSL through your firewall only to your SSL Relay.
This works just fine, but there is one small problem that usually
proves to be a huge problem in organizations with many
users. (Why do users always have to screw up our good ideas?) --
how do you authenticate to the reverse proxy?
Or, rather, from where does the reverse proxy get its user database?
Of course, you could just skip authentication at the reverse
proxy and let the OWA handle that, but if that's the case, I don't
really see the point? As I pointed out in some other thread,
the problem here isn't really HTTP headers, so I'm not sure how
much more security the proxy will buy if we don't use it to
sort out the bad guys before letting people on to the OWA.
Hmmm... A dim voice in the back of my head just said "SecurID".
Hey, that could almost work -- having the luser read a string
of digits from their token rather than having them remember
another password isn't all that bad :-)
Then there's just the matter of getting the proxy to talk to
the SecurID server... If there is one.
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
