I had to design just this scenario and found the best way was to use proxy
servers and load balancers for security reasons if you are using Exchange
5.x. A couple of replies referred to Exchange 2000 front-end back-end
servers, but I am assuming you have not upgraded to that yet.
First, I wanted all outside communications to be done with SSL to ensure all
account names and passwords over the internet were encrypted. The problem
with this is that proxy servers can not reverse proxy if ssl is enabled. To
over come this we setup a MS Proxy with SSL enabled on proxy servers in the
DMZ. This was hidden behind a load balancer and none of the addresses on the
system are routable to the internet. SSL connections are now done to the
proxy servers for all request to the OWA (Outlook Web Access) systems. The
proxy servers route the request to 2 OWA servers inside the firewall that
are behind another load balancer. You are not able to get an SSL connection
from the proxy servers to the OWA servers, but because they proxy servers
are in their own DMZ, I felt it was secure enough to now route the request
in clear text. Only port 443 is enabled to the proxy servers and port 80 to
the OWA servers on the firewalls.
Don't host your OWA servers on your existing exchange servers, but ensure
you setup separate servers that just host OWA applications. I didn't want
the OWA servers located in the DMZ because then I would have had to open up
ports 137-139 on the firewall to allow them to communicate with the exchange
servers, which is why I went with the proxy approach. The following is how
the data flows and is fairly secure.
SSL SSL SSL
User ---> Firewall ---> Load Balancer ---> Proxy --> Firewall --> Load
Balancer --> OWA --> Exchange Server
-----Original Message-----
From: Al Saenz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 29, 2000 6:29 AM
To: [EMAIL PROTECTED]
Subject: Mail Serve Security
Hello and Thank you for your input.
I have an MS Exchange Server. I know there has been mention in the past
about have some kind of Exchange relay server in the DMZ while your actual
E-mail server is in your protected LAN.
I am wanting to let mobile users check email.
Could someone refresh my memory and lead me in the right direction.
Thank you.
al
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
