RE: OWA users logging into wrong Mailbox
Hello, Bug / Setup quirk: http://www.microsoft.com/exchange/support/e2k3owa.asp (posted earlier to this list by David Lemson, 11/27/03) Brent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Posted At: Thursday, January 08, 2004 6:31 PM Posted To: MS Exchange List Conversation: OWA users logging into wrong Mailbox Subject: RE: OWA users logging into wrong Mailbox What bug are you aware of? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MS Exchange List Sent: Thursday, January 08, 2004 5:25 PM To: Exchange Discussions Subject: OWA users logging into wrong Mailbox Hello, FWIW: We just had a situation where some users were complaining that when they logged into OWA they were getting other users Mailboxes. I'm aware of a bug like this in 2003, but we're running E2K. Turned out a WEB Cache had been put on one part of a remote network. This did not effect people who came in over https , just http non-ssl connections. Brent _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
OWA users logging into wrong Mailbox
Hello, FWIW: We just had a situation where some users were complaining that when they logged into OWA they were getting other users Mailboxes. I'm aware of a bug like this in 2003, but we're running E2K. Turned out a WEB Cache had been put on one part of a remote network. This did not effect people who came in over https , just http non-ssl connections. Brent _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
RE: OWA users logging into wrong Mailbox
What bug are you aware of? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MS Exchange List Sent: Thursday, January 08, 2004 5:25 PM To: Exchange Discussions Subject: OWA users logging into wrong Mailbox Hello, FWIW: We just had a situation where some users were complaining that when they logged into OWA they were getting other users Mailboxes. I'm aware of a bug like this in 2003, but we're running E2K. Turned out a WEB Cache had been put on one part of a remote network. This did not effect people who came in over https , just http non-ssl connections. Brent _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
RE: OWA 5.5 - Active Directory
That is a good question We are a Law Firm and we have several attorneys that refuse to give up the Exchange 5.5 OWA - they state Exchange 2000 OWA is too slow and unusable... So, we wanted to offer up both for a period of time - to slowly wean them away from 5.5, while still switching to native mode. On the other hand we have several other folks who love the new OWA and it's rich feature set... Is the dumbing down of OWA 2000 done on a per user basis, or is it all or nothing? Thanks -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 2:56 PM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory When you go native, what are you going to need 5.5 OWA for? Besides, you can dumb down 2000 OWA to make it feel like 5.5 OWA (that's what Netscape browsers see when they connect to 2000 OWA) -Original Message- From: Miller, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:50 PM To: Exchange Discussions Subject: OWA 5.5 - Active Directory All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode= lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
RE: OWA 5.5 - Active Directory
Thanks for the reply... I actually confirmed just that last night in the lab. I brought up a separate native mode environment with an OWA 5.5 server.. New users were not able to access their mailboxes, while users created before the switch continued to work Thanks again -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:13 PM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory If you mean native mode Exchange, then yes, OWA 5.5 will break. It will still work for user IDs that were created BEFORE you went native, but will not work for users created AFTER you go native. I think the ADC might be involved in this equation somehow, but I remember this problem bit us hard. OWA 5.5 needs some attributes set in AD which no longer get set after you go native (or was it after you stop ADC - can't remember). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, January 06, 2004 3:56 PM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory When you go native, what are you going to need 5.5 OWA for? Besides, you can dumb down 2000 OWA to make it feel like 5.5 OWA (that's what Netscape browsers see when they connect to 2000 OWA) -Original Message- From: Miller, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:50 PM To: Exchange Discussions Subject: OWA 5.5 - Active Directory All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode= lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
RE: OWA 5.5 - Active Directory
OWA 200x dumbs down based on the version of the browser. However, it doesn't look like OWA 5.5. Maybe this is the excuse you need to upgrade to Exchange 2003. OWA 2003 rocks! Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miller, Robert Sent: Wednesday, January 07, 2004 8:01 AM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory That is a good question We are a Law Firm and we have several attorneys that refuse to give up the Exchange 5.5 OWA - they state Exchange 2000 OWA is too slow and unusable... So, we wanted to offer up both for a period of time - to slowly wean them away from 5.5, while still switching to native mode. On the other hand we have several other folks who love the new OWA and it's rich feature set... Is the dumbing down of OWA 2000 done on a per user basis, or is it all or nothing? Thanks -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 2:56 PM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory When you go native, what are you going to need 5.5 OWA for? Besides, you can dumb down 2000 OWA to make it feel like 5.5 OWA (that's what Netscape browsers see when they connect to 2000 OWA) -Original Message- From: Miller, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:50 PM To: Exchange Discussions Subject: OWA 5.5 - Active Directory All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode= lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
RE: OWA 5.5 - Active Directory
It does not look exactly like 5.5 OWA but retains the same feel and probably loads faster. Another way to dumb down 2000 OWA is segmentation. You basically go to ADSI Edit, go to the user's properties, and find the certain field (can't remember its name off the top of my head), and set its value to a certain number. There are different number combinations that will cause only certain folders to show up in OWA. For example you can limit OWA to only display Inbox, Sent Items, and Calendar. Search Google for OWA segmentation. Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:56 AM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory OWA 200x dumbs down based on the version of the browser. However, it doesn't look like OWA 5.5. Maybe this is the excuse you need to upgrade to Exchange 2003. OWA 2003 rocks! Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miller, Robert Sent: Wednesday, January 07, 2004 8:01 AM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory That is a good question We are a Law Firm and we have several attorneys that refuse to give up the Exchange 5.5 OWA - they state Exchange 2000 OWA is too slow and unusable... So, we wanted to offer up both for a period of time - to slowly wean them away from 5.5, while still switching to native mode. On the other hand we have several other folks who love the new OWA and it's rich feature set... Is the dumbing down of OWA 2000 done on a per user basis, or is it all or nothing? Thanks -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 2:56 PM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory When you go native, what are you going to need 5.5 OWA for? Besides, you can dumb down 2000 OWA to make it feel like 5.5 OWA (that's what Netscape browsers see when they connect to 2000 OWA) -Original Message- From: Miller, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:50 PM To: Exchange Discussions Subject: OWA 5.5 - Active Directory All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode= lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016
OWA 5.5 - Active Directory
All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA 5.5 - Active Directory
When you go native, what are you going to need 5.5 OWA for? Besides, you can dumb down 2000 OWA to make it feel like 5.5 OWA (that's what Netscape browsers see when they connect to 2000 OWA) -Original Message- From: Miller, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:50 PM To: Exchange Discussions Subject: OWA 5.5 - Active Directory All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA 5.5 - Active Directory
If you mean native mode Exchange, then yes, OWA 5.5 will break. It will still work for user IDs that were created BEFORE you went native, but will not work for users created AFTER you go native. I think the ADC might be involved in this equation somehow, but I remember this problem bit us hard. OWA 5.5 needs some attributes set in AD which no longer get set after you go native (or was it after you stop ADC - can't remember). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, January 06, 2004 3:56 PM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory When you go native, what are you going to need 5.5 OWA for? Besides, you can dumb down 2000 OWA to make it feel like 5.5 OWA (that's what Netscape browsers see when they connect to 2000 OWA) -Original Message- From: Miller, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:50 PM To: Exchange Discussions Subject: OWA 5.5 - Active Directory All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Adding OWA 2000 to a different web site (same server)
Are there any tricks for adding OWA to a new website on an existing IIS/Exchange 2000 server? I think i sort of have it working by creating the website from within Exchange administrator - but that set up OWA as the root of the web - ideally i'd like OWA to work from a virtual web /exchange as it does on the Default web server. Only docs i could find by searching MS Knowledge base were 5.5 specific - I need this to go on 2000 (Windows + Exchange 2000 - latest service packs and patches all around...)Also whatever I do, hoping it will work when i Upgrade to Exchange 2003 followed by Windows 2003 sometime this spring... Thanks Greg --- Greg Sachs [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Adding OWA 2000 to a different web site (same server)
I was doing this on Friday for a client and it took me a couple of hours to work out. The way I did it was to create the site in Exchange System Manager, then create a new virtual directory for Exchange and Public. Then, once created and seen in Internet Services Manager, I went in to the properties for the new site, to Home Directory and changed the address from the BackofficeStorage address to the local directory I had an existing web site configured in. Finally to get IIS to serve the existing web pages correctly I removed davex.dll (IIRC) in the Application Configuration, being careful NOT to apply the changes to the child nodes by pressing Cancel when prompted. I don't think I missed anything, but let me know if I have. Simon. -- Simon Butler, MCP, MCSA Senior Systems Administrator Amset IT Solutions Ltd. e: [EMAIL PROTECTED] w: www.amset-it.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg S Sent: 05 January 2004 14:39 To: Exchange Discussions Subject: Adding OWA 2000 to a different web site (same server) Are there any tricks for adding OWA to a new website on an existing IIS/Exchange 2000 server? I think i sort of have it working by creating the website from within Exchange administrator - but that set up OWA as the root of the web - ideally i'd like OWA to work from a virtual web /exchange as it does on the Default web server. Only docs i could find by searching MS Knowledge base were 5.5 specific - I need this to go on 2000 (Windows + Exchange 2000 - latest service packs and patches all around...)Also whatever I do, hoping it will work when i Upgrade to Exchange 2003 followed by Windows 2003 sometime this spring... Thanks Greg --- Greg Sachs [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
S/MIME in OWA
All, Quick question...how do you install S/MIME support for OWA on Exchange 2000? I have it setup for the client side. But I'm having some problems getting it to work through OWA. Thanks, _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: S/MIME in OWA
S/MIME for Exchange 2000 OWA is not supported - that is, there is no option to digitally encrypt or sign using OWA. Exchange 2003 allows you to download and install the S/MIME control for IE, but Exchange 2000 does not have this feature. By you having it set up for the client side, I assume you mean the Outlook client side? Is that correct? Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Posted At: Monday, January 05, 2004 1:01 PM Posted To: Exchange (Swynk) Conversation: S/MIME in OWA Subject: S/MIME in OWA All, Quick question...how do you install S/MIME support for OWA on Exchange 2000? I have it setup for the client side. But I'm having some problems getting it to work through OWA. Thanks, _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: S/MIME in OWA
Ok cool, I knew in 2003 it did support it. Just didn't know if it was supported or not in 2000. I was just making sure I wasn't going insane here. Thanks for the quick response. _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ben Winzenz Sent: Monday, January 05, 2004 1:14 PM To: Exchange Discussions Subject: RE: S/MIME in OWA S/MIME for Exchange 2000 OWA is not supported - that is, there is no option to digitally encrypt or sign using OWA. Exchange 2003 allows you to download and install the S/MIME control for IE, but Exchange 2000 does not have this feature. By you having it set up for the client side, I assume you mean the Outlook client side? Is that correct? Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Posted At: Monday, January 05, 2004 1:01 PM Posted To: Exchange (Swynk) Conversation: S/MIME in OWA Subject: S/MIME in OWA All, Quick question...how do you install S/MIME support for OWA on Exchange 2000? I have it setup for the client side. But I'm having some problems getting it to work through OWA. Thanks, _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: S/MIME in OWA
And yes, that is correct. _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ben Winzenz Sent: Monday, January 05, 2004 1:14 PM To: Exchange Discussions Subject: RE: S/MIME in OWA S/MIME for Exchange 2000 OWA is not supported - that is, there is no option to digitally encrypt or sign using OWA. Exchange 2003 allows you to download and install the S/MIME control for IE, but Exchange 2000 does not have this feature. By you having it set up for the client side, I assume you mean the Outlook client side? Is that correct? Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Posted At: Monday, January 05, 2004 1:01 PM Posted To: Exchange (Swynk) Conversation: S/MIME in OWA Subject: S/MIME in OWA All, Quick question...how do you install S/MIME support for OWA on Exchange 2000? I have it setup for the client side. But I'm having some problems getting it to work through OWA. Thanks, _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Adding OWA 2000 to a different web site (same server)
Thanks. I tried it both ways (creating the web from Internet Services Manager and creating it from Exchange Systems Manager). At first I tried it in Internet Services Manager, and it was not working - I had missed the step of adding davex.dll - I had to hit the create button to get to the application setup to add davex, once that was done it worked (I had to do it on several virtual webs that were OWA components) One other thing - when I tried creating the virtual web from Exchange System Manager as you suggested it worked, however when I change the home directory path to the root path I wanted, twice it changed itself back to M:\twostep.tzo.net\MBX and I know it was not my doing. So I'm wondering if Exchange somehow changes that back if it was created within Exchange. I ended up making it work correctly with the web I created in ISM and once I got all of the settings in line, OWA seems to work great. Thanks for your help. Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Butler Sent: Monday, January 05, 2004 11:43 AM To: Exchange Discussions Subject: RE: Adding OWA 2000 to a different web site (same server) I was doing this on Friday for a client and it took me a couple of hours to work out. The way I did it was to create the site in Exchange System Manager, then create a new virtual directory for Exchange and Public. Then, once created and seen in Internet Services Manager, I went in to the properties for the new site, to Home Directory and changed the address from the BackofficeStorage address to the local directory I had an existing web site configured in. Finally to get IIS to serve the existing web pages correctly I removed davex.dll (IIRC) in the Application Configuration, being careful NOT to apply the changes to the child nodes by pressing Cancel when prompted. I don't think I missed anything, but let me know if I have. Simon. -- Simon Butler, MCP, MCSA Senior Systems Administrator Amset IT Solutions Ltd. e: [EMAIL PROTECTED] w: www.amset-it.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg S Sent: 05 January 2004 14:39 To: Exchange Discussions Subject: Adding OWA 2000 to a different web site (same server) Are there any tricks for adding OWA to a new website on an existing IIS/Exchange 2000 server? I think i sort of have it working by creating the website from within Exchange administrator - but that set up OWA as the root of the web - ideally i'd like OWA to work from a virtual web /exchange as it does on the Default web server. Only docs i could find by searching MS Knowledge base were 5.5 specific - I need this to go on 2000 (Windows + Exchange 2000 - latest service packs and patches all around...)Also whatever I do, hoping it will work when i Upgrade to Exchange 2003 followed by Windows 2003 sometime this spring... Thanks Greg --- Greg Sachs [EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: HTTP error 404 and OWA
Does OWA work on the back-end server only? Neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Posted At: 22 December 2003 21:39 Posted To: Swynk Exchange (30 days) Conversation: HTTP error 404 and OWA Subject: HTTP error 404 and OWA I have a FE/BE configuration with Exchange 2003. When I use the URL http://FE server/Exchange, I get the Window's Security popup but after login I get two frames each of them with HTTP error 404, File or Directory not found. I do not have URLScan nor have I run IISlockdown tool. Any help would be appreciated. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email [EMAIL PROTECTED] http://www.silversands.co.uk _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: HTTP error 404 and OWA
that is right it only works on the BE server. - Original Message - From: Neil Hobson [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 12:16 AM Subject: RE: HTTP error 404 and OWA Does OWA work on the back-end server only? Neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Posted At: 22 December 2003 21:39 Posted To: Swynk Exchange (30 days) Conversation: HTTP error 404 and OWA Subject: HTTP error 404 and OWA I have a FE/BE configuration with Exchange 2003. When I use the URL http://FE server/Exchange, I get the Window's Security popup but after login I get two frames each of them with HTTP error 404, File or Directory not found. I do not have URLScan nor have I run IISlockdown tool. Any help would be appreciated. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email [EMAIL PROTECTED] http://www.silversands.co.uk _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Problems with NLB, OWA and Exchange
Running Exchange 2000 native on W2K Servers both with SP3 installed. Running 2 Front-end 2 back-end servers with Network Load Balancing on the front-ends. We are experiencing a problem with one of the front-ends servers - that will not even start up the basic services. Contact Microsoft, who had us re-install SP3 later SP4 without any success in getting the services started. We also, un-install NLB and re-installed it without any success. Our next actions is just to rebuild the system from scratch. Has anyone came across any problems like the above? Ron Pennell _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Problems with NLB, OWA and Exchange
I have been running a back-end with two NLB-ed front-ends for more than 3 years. Never had any problems. NLB does not really interfere with any Exchange stuff. -Original Message- From: Pennell, Ronald B. [mailto:[EMAIL PROTECTED] Sent: Monday, December 22, 2003 10:06 AM To: Exchange Discussions Subject: Problems with NLB, OWA and Exchange Running Exchange 2000 native on W2K Servers both with SP3 installed. Running 2 Front-end 2 back-end servers with Network Load Balancing on the front-ends. We are experiencing a problem with one of the front-ends servers - that will not even start up the basic services. Contact Microsoft, who had us re-install SP3 later SP4 without any success in getting the services started. We also, un-install NLB and re-installed it without any success. Our next actions is just to rebuild the system from scratch. Has anyone came across any problems like the above? Ron Pennell _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
Okay, bad, bad evil things just happened. I re-ran the IISLockdown tool to undo the normal settings. Now, NO ONE can get logged into OWA, including Admin. I just keep getting prompted for user/pass. Outlook still works fine, and mail still seems to be flowing. Remote users are burning up the phone line I checked the permissions on the files before doing this, and everything looked fine. Is there a way to reinstall OWA on SBS without a lot of grief? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edgington, Jeff Sent: Thursday, December 18, 2003 1:00 PM To: Exchange Discussions Subject: RE: OWA - File not found when logging out This is definitely a permissions problem (we had the same trouble)... I remember having to modify the permission on this file... but I will need to look for my notes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Thursday, December 18, 2003 9:36 AM To: Exchange Discussions Subject: RE: OWA - File not found when logging out 404 errors like that might be related to URLScan. Do you have that installed? If so, the default settings on URLscan shouldn't clobber the logoff.asp page though... -Original Message- From: Pat Richard [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
Okay Got things pretty much squared away by restarting all the services including System Attendant, and it looks like everyone can get logged in. The one remaining issue is that one user has several (4-5 afaik) emails in his Inbox that come up as FILE NOT FOUND when viewing them in OWA. They all have valid subjects, etc. I'm checking into that further -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pat Richard Sent: Monday, December 22, 2003 1:03 PM To: Exchange Discussions Subject: RE: OWA - File not found when logging out Okay, bad, bad evil things just happened. I re-ran the IISLockdown tool to undo the normal settings. Now, NO ONE can get logged into OWA, including Admin. I just keep getting prompted for user/pass. Outlook still works fine, and mail still seems to be flowing. Remote users are burning up the phone line I checked the permissions on the files before doing this, and everything looked fine. Is there a way to reinstall OWA on SBS without a lot of grief? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edgington, Jeff Sent: Thursday, December 18, 2003 1:00 PM To: Exchange Discussions Subject: RE: OWA - File not found when logging out This is definitely a permissions problem (we had the same trouble)... I remember having to modify the permission on this file... but I will need to look for my notes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Thursday, December 18, 2003 9:36 AM To: Exchange Discussions Subject: RE: OWA - File not found when logging out 404 errors like that might be related to URLScan. Do you have that installed? If so, the default settings on URLscan shouldn't clobber the logoff.asp page though... -Original Message- From: Pat Richard [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
HTTP error 404 and OWA
I have a FE/BE configuration with Exchange 2003. When I use the URL http://FE server/Exchange, I get the Window's Security popup but after login I get two frames each of them with HTTP error 404, File or Directory not found. I do not have URLScan nor have I run IISlockdown tool. Any help would be appreciated. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
OWA - File not found when logging out
Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
You must Die for asking a Technical question rather than an ethics question on this board. :) _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pat Richard Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
Could it be a permissions issue (NTFS permissions on the file)? Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Pat Richard [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
ROLMAO thanks, John, that was a good one. Paul Chinnery Network Administrator Mem Med Ctr -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 9:39 AM To: Exchange Discussions Subject: RE: OWA - File not found when logging out You must Die for asking a Technical question rather than an ethics question on this board. :) _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pat Richard Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
Gawd, don't get that thread started up again! While reading the last few Deckerisms, for a moment I actually lost the will to live. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 8:39 AM To: Exchange Discussions Subject: RE: OWA - File not found when logging out You must Die for asking a Technical question rather than an ethics question on this board. :) _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pat Richard Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
You should probably open the IIS admin snap-in and check the permissions on the file. I think that it probably needs script execute access. Although I'm not sure how that could have gotten messed up. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Pat Richard [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 8:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
I know, I started deleting the whole string as they filed in one by one. Tired of hearing someone trying to preach over the internet. Get a damn life man. _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric Fretz Sent: Thursday, December 18, 2003 10:25 AM To: Exchange Discussions Subject: RE: OWA - File not found when logging out Gawd, don't get that thread started up again! While reading the last few Deckerisms, for a moment I actually lost the will to live. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 8:39 AM To: Exchange Discussions Subject: RE: OWA - File not found when logging out You must Die for asking a Technical question rather than an ethics question on this board. :) _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pat Richard Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
404 errors like that might be related to URLScan. Do you have that installed? If so, the default settings on URLscan shouldn't clobber the logoff.asp page though... -Original Message- From: Pat Richard [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA 5.5
Yea - we're single domain, two sites, and it works well -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 12:34 PM To: Exchange Discussions Subject: RE: OWA 5.5 Very true. The problem with this usually comes because of separate domains with trust issues. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, December 16, 2003 5:30 AM To: Exchange Discussions Subject: RE: OWA 5.5 I have one for our two sites here - there's no additional configuration necessary - as long as the OWA box has connectivity to all sites. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bourque Daniel [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 7:31 AM To: Exchange Discussions Subject: OWA 5.5 I read somewhere that it was possible to use one IIS server to front multiple Exchange 5.5 servers, member of different Exchange sites. Is it true? If yes, can you point me in the right direction on how to implement this? Thank you. Daniel _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE : OWA 5.5
Yes, I finally got a test account on an Exch 5.5 server in another site and it work fine. Thank you all -Message d'origine- De : Roger Seielstad [mailto:[EMAIL PROTECTED] Envoyé : 17 décembre, 2003 07:42 À : Exchange Discussions Objet : RE: OWA 5.5 Yea - we're single domain, two sites, and it works well -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 12:34 PM To: Exchange Discussions Subject: RE: OWA 5.5 Very true. The problem with this usually comes because of separate domains with trust issues. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, December 16, 2003 5:30 AM To: Exchange Discussions Subject: RE: OWA 5.5 I have one for our two sites here - there's no additional configuration necessary - as long as the OWA box has connectivity to all sites. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bourque Daniel [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 7:31 AM To: Exchange Discussions Subject: OWA 5.5 I read somewhere that it was possible to use one IIS server to front multiple Exchange 5.5 servers, member of different Exchange sites. Is it true? If yes, can you point me in the right direction on how to implement this? Thank you. Daniel _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
OWA 5.5
I read somewhere that it was possible to use one IIS server to front multiple Exchange 5.5 servers, member of different Exchange sites. Is it true? If yes, can you point me in the right direction on how to implement this? Thank you. Daniel _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA 5.5
I have one for our two sites here - there's no additional configuration necessary - as long as the OWA box has connectivity to all sites. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bourque Daniel [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 7:31 AM To: Exchange Discussions Subject: OWA 5.5 I read somewhere that it was possible to use one IIS server to front multiple Exchange 5.5 servers, member of different Exchange sites. Is it true? If yes, can you point me in the right direction on how to implement this? Thank you. Daniel _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA 5.5
Very true. The problem with this usually comes because of separate domains with trust issues. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, December 16, 2003 5:30 AM To: Exchange Discussions Subject: RE: OWA 5.5 I have one for our two sites here - there's no additional configuration necessary - as long as the OWA box has connectivity to all sites. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bourque Daniel [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 7:31 AM To: Exchange Discussions Subject: OWA 5.5 I read somewhere that it was possible to use one IIS server to front multiple Exchange 5.5 servers, member of different Exchange sites. Is it true? If yes, can you point me in the right direction on how to implement this? Thank you. Daniel _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE : OWA 5.5
Thank you. In our setup, there is a different Exchange 5.5 site per W2K domains, all part of the same AD tree. The setup will be: - Reverse proxy in the outside DMZ with access only to the IIS server - IIS server in an internal DMZ with specific access only to DC (DNS/Authentication) and Exch servers in the organisation. -Message d'origine- De : Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Envoyé : 16 décembre, 2003 12:34 À : Exchange Discussions Objet : RE: OWA 5.5 Very true. The problem with this usually comes because of separate domains with trust issues. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, December 16, 2003 5:30 AM To: Exchange Discussions Subject: RE: OWA 5.5 I have one for our two sites here - there's no additional configuration necessary - as long as the OWA box has connectivity to all sites. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bourque Daniel [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 7:31 AM To: Exchange Discussions Subject: OWA 5.5 I read somewhere that it was possible to use one IIS server to front multiple Exchange 5.5 servers, member of different Exchange sites. Is it true? If yes, can you point me in the right direction on how to implement this? Thank you. Daniel _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
Actually, you can't snoop the SSL traffic. Ok, you can, but its worthless. I'd suggest an SSL accelerator (either hardware or software) sitting in the DMZ, passing unencrypted traffic between the DMZ and a front end server on the internal network. We've been doing that for about 18 months without any issues (albiet in an Ex5.5 environment, but that shouldn't matter). I'd also suggest a front end server dedicated to OWA, as that's an additional layer of protection. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 8:42 PM To: Exchange Discussions Subject: RE: OWA and SMTP Those are very powerful seven (your number--I haven't counted) ports. You're pretty safe by allowing only SSL into OWA, enforcing a strong password policy, and watching the traffic that passes through the firewall. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Wednesday, December 10, 2003 7:15 AM To: Exchange Discussions Subject: RE: OWA and SMTP Ed, It takes 7 ports from front end server for windows 2000 communication plus the exchange ports to make it work. So my only argument is that if the front end box gets compromised, hackers has access to those seven ports and wherever they terminate. However my putting the front end server on the LAN, there is not telling where the bad guys will have access if the front end server is compromised. And please don't get me wrong, I understand that the ports required for Win2k are significant ports. However ISA might be a good solution too, I will look into it. Thanks Davinder -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:00 PM To: Exchange Discussions Subject: RE: OWA and SMTP There's a whitepaper on the Exchange 2000 web site about using ISA. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Tuesday, December 09, 2003 8:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Can you point me to those articles/white papers etc. ?? I would like to look into the possibility of using ISA and keeping FE server in DMZ. Thanks Davinder -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta
RE: OWA and SMTP
Because Microsoft and Security are synonymous, of course! If one chooses to put their FE server in the DMZ, open the bazillion ports required to connect to the BE server and the FE server gets compromised in any way. You have just opened the door to your internal network. Some might say, the same about putting the FE directly on the same LAN as the BE server, but at least you'll go down knowing that you weren't operating under a false sense of security. Putting the FE in a DMZ will only make you feel all warm and fuzzy till the box gets compromised. Putting the FE on your LAN at least makes you more aware that the threat is there and you're only opening 2-3 ports versus about 20. -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does
RE: OWA and SMTP
No, it should be on the edge of your network... ;o) -Original Message- From: David, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 3:11 PM To: Exchange Discussions Subject: RE: OWA and SMTP Shouldn't the ISA server be in the DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying
RE: OWA and SMTP
Davinder, What are the 7 ports? Might they not be more risk than just 25 and 443? Risks are all around us, it's up to us to determine what level of risk we're willing to accept... -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 10:15 AM To: Exchange Discussions Subject: RE: OWA and SMTP Ed, It takes 7 ports from front end server for windows 2000 communication plus the exchange ports to make it work. So my only argument is that if the front end box gets compromised, hackers has access to those seven ports and wherever they terminate. However my putting the front end server on the LAN, there is not telling where the bad guys will have access if the front end server is compromised. And please don't get me wrong, I understand that the ports required for Win2k are significant ports. However ISA might be a good solution too, I will look into it. Thanks Davinder -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:00 PM To: Exchange Discussions Subject:RE: OWA and SMTP There's a whitepaper on the Exchange 2000 web site about using ISA. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Tuesday, December 09, 2003 8:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Can you point me to those articles/white papers etc. ?? I would like to look into the possibility of using ISA and keeping FE server in DMZ. Thanks Davinder -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject:RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured
RE: OWA and SMTP
But you don't have to open those 20 ports to the entire world. You can only specify that the FE should be able to talk to the BE and the DCs. I agree - it is more work to set up and maintain. Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Ely, Don [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 9:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Because Microsoft and Security are synonymous, of course! If one chooses to put their FE server in the DMZ, open the bazillion ports required to connect to the BE server and the FE server gets compromised in any way. You have just opened the door to your internal network. Some might say, the same about putting the FE directly on the same LAN as the BE server, but at least you'll go down knowing that you weren't operating under a false sense of security. Putting the FE in a DMZ will only make you feel all warm and fuzzy till the box gets compromised. Putting the FE on your LAN at least makes you more aware that the threat is there and you're only opening 2-3 ports versus about 20. -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581
RE: OWA and SMTP
Well, of course, but what if the FE gets compromised? It's still allowed to talk to the BE and DC's, right? Problem still exists... We can all debate this till we're blue in the face, but the fact is, putting an FE server in the DMZ only gives you a false sense of security. It's no more or no less secure than putting the FE directly on the LAN... Now an SMTP relay by itself in the DMZ is no biggie... But leave OWA protected as best you can... -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 9:49 AM To: Exchange Discussions Subject: RE: OWA and SMTP But you don't have to open those 20 ports to the entire world. You can only specify that the FE should be able to talk to the BE and the DCs. I agree - it is more work to set up and maintain. Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Ely, Don [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 9:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Because Microsoft and Security are synonymous, of course! If one chooses to put their FE server in the DMZ, open the bazillion ports required to connect to the BE server and the FE server gets compromised in any way. You have just opened the door to your internal network. Some might say, the same about putting the FE directly on the same LAN as the BE server, but at least you'll go down knowing that you weren't operating under a false sense of security. Putting the FE in a DMZ will only make you feel all warm and fuzzy till the box gets compromised. Putting the FE on your LAN at least makes you more aware that the threat is there and you're only opening 2-3 ports versus about 20. -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510
RE: OWA and SMTP
Whenever I've partnered with Microsoft Consulting Services, they've agreed with me that it isn't the best idea to put front-end servers in the DMZ. But some organizations are hell-bent on doing it their way. It isn't that it's the Microsoft Way, but if a customer demands it their way, Microsoft is being customer-focused to help them not screw it up too bad. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Blackstone Sent: Tuesday, December 09, 2003 8:24 AM To: Exchange Discussions Subject: RE: OWA and SMTP Or my favorite: There is the right way, the wrong way, or the Microsoft way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP I'm reminded of the character Yogourt in Spaceballs the Movie, It's all about the merchandising. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA
RE: OWA and SMTP
There's a whitepaper on the Exchange 2000 web site about using ISA. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Tuesday, December 09, 2003 8:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Can you point me to those articles/white papers etc. ?? I would like to look into the possibility of using ISA and keeping FE server in DMZ. Thanks Davinder -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject:RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from
RE: OWA and SMTP
Ed, It takes 7 ports from front end server for windows 2000 communication plus the exchange ports to make it work. So my only argument is that if the front end box gets compromised, hackers has access to those seven ports and wherever they terminate. However my putting the front end server on the LAN, there is not telling where the bad guys will have access if the front end server is compromised. And please don't get me wrong, I understand that the ports required for Win2k are significant ports. However ISA might be a good solution too, I will look into it. Thanks Davinder -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:00 PM To: Exchange Discussions Subject:RE: OWA and SMTP There's a whitepaper on the Exchange 2000 web site about using ISA. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Tuesday, December 09, 2003 8:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Can you point me to those articles/white papers etc. ?? I would like to look into the possibility of using ISA and keeping FE server in DMZ. Thanks Davinder -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject:RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier
RE: OWA and SMTP
Those are very powerful seven (your number--I haven't counted) ports. You're pretty safe by allowing only SSL into OWA, enforcing a strong password policy, and watching the traffic that passes through the firewall. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Wednesday, December 10, 2003 7:15 AM To: Exchange Discussions Subject: RE: OWA and SMTP Ed, It takes 7 ports from front end server for windows 2000 communication plus the exchange ports to make it work. So my only argument is that if the front end box gets compromised, hackers has access to those seven ports and wherever they terminate. However my putting the front end server on the LAN, there is not telling where the bad guys will have access if the front end server is compromised. And please don't get me wrong, I understand that the ports required for Win2k are significant ports. However ISA might be a good solution too, I will look into it. Thanks Davinder -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:00 PM To: Exchange Discussions Subject:RE: OWA and SMTP There's a whitepaper on the Exchange 2000 web site about using ISA. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Tuesday, December 09, 2003 8:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Can you point me to those articles/white papers etc. ?? I would like to look into the possibility of using ISA and keeping FE server in DMZ. Thanks Davinder -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject:RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do
RE: OWA and SMTP
You are going down a road that you do not want to go down. You understand that in order to be a FE server, you have to be running Exchange Enterprise edition, right? (ok, if you run Exchange 2003, you can run Standard edition) The only ports you would have to open up from the outside to the FE server would be 25, 80 and/or 443. However, the problem is that you must open up additional ports betweeen the FE server and the BE server, and between the FE server and the DC/GC's. Opening these ports makes it not worth it to place it in the DMZ. Now, if you just want to place a SMTP Relay server (don't mistake that term for Open relay) in the DMZ, that is much safer to do. So, what is your end goal here? FE/BE setup, or SMTP Relay server? Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Monday, December 08, 2003 8:23 PM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
He did not indicate which ports he needed to have open and on which side the needed to be open to. For example, 80 and 443 need to be open to the internet to allow external host to use OWA. The others need to be open between the DMZ and internal lan to allow the FE server to do GC looksups, etc Sorry for the confusion. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm
RE: OWA and SMTP
I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin
RE: OWA and SMTP
Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl
RE: OWA and SMTP
Isn't Exchange 2003 more IPSec-friendly? But if you work on it carefully, you should be able to get Exchange 2000 going with IPSec too. -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:46 AM To: Exchange Discussions Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter
RE: OWA and SMTP
Could you be a little more specific about the careful part?? -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:50 AM To: Exchange Discussions Subject:RE: OWA and SMTP Isn't Exchange 2003 more IPSec-friendly? But if you work on it carefully, you should be able to get Exchange 2000 going with IPSec too. -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:46 AM To: Exchange Discussions Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy
RE: OWA and SMTP
What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL
RE: OWA and SMTP
I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did
RE: OWA and SMTP
Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted
RE: OWA and SMTP
Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would
RE: OWA and SMTP
I'm reminded of the character Yogourt in Spaceballs the Movie, It's all about the merchandising. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports
RE: OWA and SMTP
Or my favorite: There is the right way, the wrong way, or the Microsoft way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP I'm reminded of the character Yogourt in Spaceballs the Movie, It's all about the merchandising. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server
RE: OWA and SMTP
Can you point me to those articles/white papers etc. ?? I would like to look into the possibility of using ISA and keeping FE server in DMZ. Thanks Davinder -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject:RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more
RE: OWA and SMTP
Shouldn't the ISA server be in the DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC
OWA and SMTP
I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
Depending on what kind of setup you'll be doing and what type of security you're going to be implementing. But for starters you want to atleast open port 25 (SMTP traffic) and 443 (for SSL). _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Davinder Gupta Sent: Monday, December 08, 2003 10:58 AM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
There are a bunch of Exchange hosting whitepapers that discuss front-end/back-end deployment including which ports need to be open. Look at http://www.microsoft.com/isn Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 10:58 AM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
Of course, I want it be secure. The external ports you mentions are good. How about this server talking to other exchange 2k servers and Win2k DC's inside? Can we still fix the exchange ports like we did in 5.5? -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 8:02 AM To: Exchange Discussions Subject:RE: OWA and SMTP Depending on what kind of setup you'll be doing and what type of security you're going to be implementing. But for starters you want to atleast open port 25 (SMTP traffic) and 443 (for SSL). _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Davinder Gupta Sent: Monday, December 08, 2003 10:58 AM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
There are KB articles about static port mappings in Exchange 2000. -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 11:08 AM To: Exchange Discussions Subject: RE: OWA and SMTP Of course, I want it be secure. The external ports you mentions are good. How about this server talking to other exchange 2k servers and Win2k DC's inside? Can we still fix the exchange ports like we did in 5.5? -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 8:02 AM To: Exchange Discussions Subject:RE: OWA and SMTP Depending on what kind of setup you'll be doing and what type of security you're going to be implementing. But for starters you want to atleast open port 25 (SMTP traffic) and 443 (for SSL). _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Davinder Gupta Sent: Monday, December 08, 2003 10:58 AM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
OWA and SMTP
I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Exchange 2003 OWA default home page
Cheers, but unfortunately, this doesn't appear to exist. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: 05 December 2003 03:27 To: Exchange Discussions Subject: RE: Exchange 2003 OWA default home page You should be able to create the website and virtual directories manually and point them to \\.\backofficestorage -Original Message- From: Simon Bond [mailto:[EMAIL PROTECTED] Sent: Thursday, December 04, 2003 5:53 PM To: Exchange Discussions Subject: Exchange 2003 OWA default home page I have a test system (thank goodness) that I accidentally deleted the default web site on (containing the E2003 files). Not the end of the world I thought, I'll just reinstall Exchange and it'll put all the files back. Oh no. What it seems to do (and please correct me if I'm wrong) is that it rebuilds the directory structure of the site in IIS but the default page it returns when I try to access it from the web (or browsing through IIS) is the C:\Inetpub\wwwroot\iisstart.htm page, which is an error page. The correct page doesn't seem to be restored by the reinstallation. Any ideas? Thanking you in advance, Simon _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
SV: Dumb question - why OWA cannot get to public folder contacts?
I dit have the same prob and ?, I know use RPC over HTTP, and the solution is far better than OWA solution. That is in my point of view :-) Troels Majlandt Systemconstructor -Oprindelig meddelelse- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] PÃ¥ vegne af Ron Jameson Sendt: 5. december 2003 04:40 Til: Exchange Discussions Emne: Dumb question - why OWA cannot get to public folder contacts? Ever since the early days - I always thought at some point, MS would make the OWA get to all the public folders like outlook (be able to send email by picking a public folder contact list) but alas, Ex2k3 still has no access to a public folder contact list. Grr. I know OWA is meant to be quick, simple and trim - but is this too much to ask? My workaround is to try the RPC over HTTP featurebut still need to roll out Office 2003 first at our client sites. Regards, Ron Jameson IT Division Manager Hamlin Technologies _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Exchange 5.5 OWA install on a Win2000 Server
I getting this message when I try to access OWA. I find something about this in TechNet, but it's only for ISS V.4 in NT 4.0 and not for IIS v.5.0 in Windows 2000. ** Error Type: Microsoft VBScript runtime (0x800A01A8) Object required: 'Application(...)' /exchange/USA/logon.asp, line 12 Browser Type: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Page: GET /exchange/USA/logon.asp *** Any suggestions to solve my problem ? The Exchange server is an updatet Exchange 5.5 (Include SP3) on a NT4.0 server with servicepack 4 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Exchange 5.5 OWA install on a Win2000 Server
You didn't SP the OWA box did you? Install SP4 for Exchange. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PEter Sent: Friday, December 05, 2003 5:40 AM To: Exchange Discussions Subject: Exchange 5.5 OWA install on a Win2000 Server I getting this message when I try to access OWA. I find something about this in TechNet, but it's only for ISS V.4 in NT 4.0 and not for IIS v.5.0 in Windows 2000. ** Error Type: Microsoft VBScript runtime (0x800A01A8) Object required: 'Application(...)' /exchange/USA/logon.asp, line 12 Browser Type: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Page: GET /exchange/USA/logon.asp *** Any suggestions to solve my problem ? The Exchange server is an updatet Exchange 5.5 (Include SP3) on a NT4.0 server with servicepack 4 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Exchange 2003 OWA default home page
That's odd. I did the exact same thing in my lab when I was testing Ex2003 and a reinstall brought it back. - Peter -Original Message- From: Simon Bond [mailto:[EMAIL PROTECTED] Sent: Thursday, December 04, 2003 5:53 PM To: Exchange Discussions Subject: Exchange 2003 OWA default home page I have a test system (thank goodness) that I accidentally deleted the default web site on (containing the E2003 files). Not the end of the world I thought, I'll just reinstall Exchange and it'll put all the files back. Oh no. What it seems to do (and please correct me if I'm wrong) is that it rebuilds the directory structure of the site in IIS but the default page it returns when I try to access it from the web (or browsing through IIS) is the C:\Inetpub\wwwroot\iisstart.htm page, which is an error page. The correct page doesn't seem to be restored by the reinstallation. Any ideas? Thanking you in advance, Simon _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Changing web server - OWA OMA
I need some suggestions on how to best configure my IIS / exchange. We have had a very insecure setup with exchange running on our IIS server, but this allowed OWA and OMA to work for us. We are now moving our IIS server to a seperate box and placing it in our DMZ. We are not ready to add an ISA server in our DMZ or a FE Exchange server in the DMZ. So as a compromise we are looking at directing OWA and OMA traffic to the Exchange server /IIS and all other web traffic to our IIS server in the dmz. The corporate web site mysite is now going to be on a new server. My users have accessed owa via mysite\exchange. They access both from intranet as well as internet. Any suggestions or information you can direct me to that will help me figure out a solution that is somewhat transparent to the end user. I am thinking of setting the website on the exchange server to mail.mysite and exchange would be https:\\mail.mysite.com\exchange and traffic going to www.mysite.com\exchange would be redirected to https:\\mail.mysite.com\exchange. Is there a better solution? Also is there a way to help minimize the exposer of the owa / oma website on the IIS server? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Exchange 2003 OWA default home page
I have a test system (thank goodness) that I accidentally deleted the default web site on (containing the E2003 files). Not the end of the world I thought, I'll just reinstall Exchange and it'll put all the files back. Oh no. What it seems to do (and please correct me if I'm wrong) is that it rebuilds the directory structure of the site in IIS but the default page it returns when I try to access it from the web (or browsing through IIS) is the C:\Inetpub\wwwroot\iisstart.htm page, which is an error page. The correct page doesn't seem to be restored by the reinstallation. Any ideas? Thanking you in advance, Simon _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Exchange 2003 OWA default home page
You should be able to create the website and virtual directories manually and point them to \\.\backofficestorage -Original Message- From: Simon Bond [mailto:[EMAIL PROTECTED] Sent: Thursday, December 04, 2003 5:53 PM To: Exchange Discussions Subject: Exchange 2003 OWA default home page I have a test system (thank goodness) that I accidentally deleted the default web site on (containing the E2003 files). Not the end of the world I thought, I'll just reinstall Exchange and it'll put all the files back. Oh no. What it seems to do (and please correct me if I'm wrong) is that it rebuilds the directory structure of the site in IIS but the default page it returns when I try to access it from the web (or browsing through IIS) is the C:\Inetpub\wwwroot\iisstart.htm page, which is an error page. The correct page doesn't seem to be restored by the reinstallation. Any ideas? Thanking you in advance, Simon _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Dumb question - why OWA cannot get to public folder contacts?
Ever since the early days - I always thought at some point, MS would make the OWA get to all the public folders like outlook (be able to send email by picking a public folder contact list) but alas, Ex2k3 still has no access to a public folder contact list. Grr. I know OWA is meant to be quick, simple and trim - but is this too much to ask? My workaround is to try the RPC over HTTP featurebut still need to roll out Office 2003 first at our client sites. Regards, Ron Jameson IT Division Manager Hamlin Technologies _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Exchange 2003 OWA Flaw?
Quite a lot of info has been posted to the following web page: http://www.microsoft.com/exchange/support/e2k3owa.asp David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Blackstone Sent: Saturday, November 22, 2003 9:07 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? But, one could argue that this should have been a documented scenario... I'm not saying one way or the other. Just that it has taken an interesting turn. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David N. Precht Sent: Saturday, November 22, 2003 9:05 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? But... A preliminary investigation by Microsoft indicated that the issue occurs only with Kerberos authentication disabled, which the vendor said is uncommon. We recommend that our customers ensure that Kerberos authentication is enabled, which is the default configuration, Microsoft said in a statement Friday. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Blackstone Sent: Saturday, November 22, 2003 11:22 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? This has taken a new turn... http://www.infoworld.com/article/03/11/21/HNmsflaw_1.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Woodruff, Michael Sent: Friday, November 21, 2003 9:25 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? Not that I am aware of. My boss just passed it on to me. I'm not a participate in that list. I just thought it was odd since that would be a huge flaw and Microsoft or anyone for that matter has said nothing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Friday, November 21, 2003 11:18 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? All seriousness aside, I know nothing about this issue. I'm inferring from the other responses to this thread that if two MVPs have no knowledge of the issue it probably doesn't exist. Mike W: Were there any follow-up posts on NTBUGTRAQ about this? -Original Message- From: Erik Sojka Sent: Friday, November 21, 2003 11:15 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? I saw a posting about it on NTBUGTRAQ.COM. Some guy had to shut off OWA indefinitely because of the issue. -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 11:10 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? So you have seen this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Friday, November 21, 2003 8:12 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? That's because Microsoft knows of the issue but does not have a fix yet. -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 11:10 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? I have not heard of it... Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Woodruff, Michael [mailto:[EMAIL PROTECTED] Posted At: Friday, November 21, 2003 10:57 AM Posted To: Exchange (Swynk) Conversation: Exchange 2003 OWA Flaw? Subject: Exchange 2003 OWA Flaw? Is this BS or has anyone else heard of this flaw? -Original Message- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Johnson Sent: Friday, November 14, 2003 10:24 PM To: [EMAIL PROTECTED] Subject: Exchange 2003 OWA major security flaw We have upgraded our servers to Microsoft Exchange 2003 and noticed a severe security issue with OWA. When you log in with your own credentials you may be logged into another user's mailbox at random and has full access to this user's mailbox. Microsoft knows of the issue but does not have a fix yet. I was wondering how many others have seen this issue and have received the same answer from Microsoft. This seems to be a major security flaw and we have had to shut off OWA indefinitely because of the issue. Matthew Johnson CCNA Network Administrator Investment Scorecard, Inc. 615.301.7611 [EMAIL PROTECTED] www.investmentscorecard.com http://www.investmentscorecard.com/ - Marcus Ranum's new book The Myth of Homeland Security is now out and is available from http://www.amazon.com/ranum In this hard-hitting review of the homeland security business, Ranum shows us how the problem is vastly harder than it's being made
RE: OWA daily hangups and patch 818709 messages now blank
we applied this patch to two servers (ex 5.5 sp4, NT sp6a) and now one of them displays only blank emails. I see this in the event log: Application popup: OLEChannelWnd: inetinfo.exe - Entry Point Not Found : The procedure entry point wnsprintfW could not be located in the dynamic link library SHLWAPI.dll. I noticed shlwapi.dll was not the same on both servers so I copied the one from the working server across. Made no difference. Anyone else seen this? Harriet -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: 19 November 2003 23:29 To: Exchange Discussions Subject: RE: OWA daily hangups Any of your users using Outlook 2003? If so, there's a patch... http://support.microsoft.com/default.aspx?scid=kb;[LN];818709 I had this exact same problem and this fixed it. I haven't had to restart OWA since. Cheers, Tony -Original Message- From: Dolphin, Jeff [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 3:25 PM To: Exchange Discussions Subject: OWA daily hangups Weird problem...I'm running Exchange 5.5 sp4 on Win2k sp4 in a Win2k Ad domain. For about a month now when a user tries to log on to OWA they will experience a hangup in the service. Specifcally, the user can get to the 1st logon screen, enter their alias...and then enter their logon/password in the subsequent pop-up box but the actual screen to see their mail will not be displayed. It will just sit there on the first page and not go any further. No errors...No page cannot be displayed...nothing! I've seen the problem happen on xp,2k, even on the server itself. Giving IIS a restart solves the problem for a day or two and then it will happen again. I checked the event logs and don't see anything pertaining to IIS or Exchange except messages saying the service was stopped (of course it does since I'm the one who stops it!). Can anyone give me an idea on how to tackle this one? Or is this more of an IIS issue rather than an OWA issue...? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA daily hangups and patch 818709 messages now blank - Sort ed
Turned out to be a corrupt mlang.dll -Original Message- From: Wood, Harriet [CCS] [mailto:[EMAIL PROTECTED] Sent: 25 November 2003 08:42 To: Exchange Discussions Subject: RE: OWA daily hangups and patch 818709 messages now blank we applied this patch to two servers (ex 5.5 sp4, NT sp6a) and now one of them displays only blank emails. I see this in the event log: Application popup: OLEChannelWnd: inetinfo.exe - Entry Point Not Found : The procedure entry point wnsprintfW could not be located in the dynamic link library SHLWAPI.dll. I noticed shlwapi.dll was not the same on both servers so I copied the one from the working server across. Made no difference. Anyone else seen this? Harriet -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: 19 November 2003 23:29 To: Exchange Discussions Subject: RE: OWA daily hangups Any of your users using Outlook 2003? If so, there's a patch... http://support.microsoft.com/default.aspx?scid=kb;[LN];818709 I had this exact same problem and this fixed it. I haven't had to restart OWA since. Cheers, Tony -Original Message- From: Dolphin, Jeff [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 3:25 PM To: Exchange Discussions Subject: OWA daily hangups Weird problem...I'm running Exchange 5.5 sp4 on Win2k sp4 in a Win2k Ad domain. For about a month now when a user tries to log on to OWA they will experience a hangup in the service. Specifcally, the user can get to the 1st logon screen, enter their alias...and then enter their logon/password in the subsequent pop-up box but the actual screen to see their mail will not be displayed. It will just sit there on the first page and not go any further. No errors...No page cannot be displayed...nothing! I've seen the problem happen on xp,2k, even on the server itself. Giving IIS a restart solves the problem for a day or two and then it will happen again. I checked the event logs and don't see anything pertaining to IIS or Exchange except messages saying the service was stopped (of course it does since I'm the one who stops it!). Can anyone give me an idea on how to tackle this one? Or is this more of an IIS issue rather than an OWA issue...? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Design Question
If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: Exchange 2003 OWA segmentation feature Date: Mon, 11 Aug 2003 11:01:25 -1000 Hi everyone: I'm looking for some information on a feature in Exchange 2003 and I have used up all of my ideas on how to find out more info. It was called OWA segmentation in Exchange 2000 and was introduced in Exchange 2000 SP2. It allowed you to turn off public folders, the calendar, contacts, etc.. for certain users. This was either a registry key or an attribute you had to add to the W2K AD. However, it is included in E2K3's schema extensions. However, I cannot find ANY information on the actual values. It is essentially a bit mask, but I can't figure out what the bits mean. Below is the only text I have been able to find on it, and this was in the release notes. The schema attribute name is: msExchMailboxFolderSet I have a customer that is using this in E2K and we are building a 'proof-of-concept' lab for E2K3 and we cannot get this to work. It is driving me crazy and I'm almost thinking I need to open up a PSS incident just to get the documentation on this feature. I was hoping you might be able to find more documentation on this. Any ideas? Thanks, Jim McBee Per-user Feature Segmentation in Outlook Web Access May Require Modification of User Object to Use All Features Outlook Web Access allows you to enable specific sets
RE: OWA Design Question
It is my understanding that even if I publish OWA through ISA I still have to open 389, 88, and 53(if we don't use host files) to our network for authentication. So it seems that I will just save my self from opening ports for GC Queries and RPC Traffic. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bailey, Matthew Posted At: Tuesday, November 25, 2003 8:28 AM Posted To: Exchange Discussion Conversation: OWA Design Question Subject: RE: OWA Design Question If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: Exchange 2003 OWA segmentation feature Date: Mon, 11 Aug 2003 11:01:25 -1000 Hi everyone: I'm looking for some information on a feature in Exchange 2003 and I have used up all of my ideas on how to find out more info. It was called OWA segmentation in Exchange 2000 and was introduced in Exchange 2000 SP2. It allowed you to turn off public folders, the calendar, contacts, etc.. for certain users. This was either a registry key or an attribute you had to add to the W2K AD. However, it is included in E2K3's schema extensions. However, I cannot find ANY information on the actual values. It is essentially a bit mask, but I can't figure out what the bits mean. Below is the only text I have been able to find on it, and this was in the release notes. The schema attribute name is: msExchMailboxFolderSet I have a customer that is using this in E2K
RE: OWA Design Question
You can use ISA. It's not that hard to set up and works well. Added bonus for those with the need is the ability to add RSA authentication to the ISA server. Users must use a key fob to authenticate before they even get to the OWA boxes. You can also use another type of proxy server (Squid for instance) to proxy the connection from the DMZ. -Original Message- From: Bailey, Matthew [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:28 AM To: Exchange Discussions Subject: RE: OWA Design Question If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: Exchange 2003 OWA segmentation feature Date: Mon, 11 Aug 2003 11:01:25 -1000 Hi everyone: I'm looking for some information on a feature in Exchange 2003 and I have used up all of my ideas on how to find out more info. It was called OWA segmentation in Exchange 2000 and was introduced in Exchange 2000 SP2. It allowed you to turn off public folders, the calendar, contacts, etc.. for certain users. This was either a registry key or an attribute you had to add to the W2K AD. However, it is included in E2K3's schema extensions. However, I cannot find ANY information on the actual values. It is essentially a bit mask, but I can't figure out what the bits mean. Below is the only text I have been able to find on it, and this was in the release notes. The schema attribute name is: msExchMailboxFolderSet I have a customer
RE: OWA Design Question
I am currently running OWA published through ISA and I didn't need to open all the ports since the OWA server sits behind ISA in the corporate network. We have our ISA server sitting on the border of our corporate network externally facing the DMZ then have another brand of firewall sitting on the border between the DMZ and the Internet. On the ISA server, you only bind the Client for Microsoft Networks to the internal facing NIC. The firewall facing the Internet only has ports 80 and 443 open (working on getting everybody switched over to SSL only) for the IP of the OWA server. It was fairly easy to do but using SSL creates some challenges. This site has some good documentation on the process: http://www.ISAserver.org - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 7:34 AM To: Exchange Discussions Subject: RE: OWA Design Question It is my understanding that even if I publish OWA through ISA I still have to open 389, 88, and 53(if we don't use host files) to our network for authentication. So it seems that I will just save my self from opening ports for GC Queries and RPC Traffic. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bailey, Matthew Posted At: Tuesday, November 25, 2003 8:28 AM Posted To: Exchange Discussion Conversation: OWA Design Question Subject: RE: OWA Design Question If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL
RE: OWA Design Question
Only allow the front-end servers to talk to the domain controllers/GCs/DNS servers instead of just opening ports 389, 88, 53, etc from the entire DMZ to the internal network. Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:34 AM To: Exchange Discussions Subject: RE: OWA Design Question It is my understanding that even if I publish OWA through ISA I still have to open 389, 88, and 53(if we don't use host files) to our network for authentication. So it seems that I will just save my self from opening ports for GC Queries and RPC Traffic. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bailey, Matthew Posted At: Tuesday, November 25, 2003 8:28 AM Posted To: Exchange Discussion Conversation: OWA Design Question Subject: RE: OWA Design Question If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: Exchange 2003 OWA segmentation feature Date: Mon, 11 Aug 2003 11:01:25 -1000 Hi everyone: I'm looking for some information on a feature in Exchange 2003 and I have used up all of my ideas on how to find out more info. It was called OWA segmentation in Exchange 2000 and was introduced in Exchange 2000 SP2. It allowed you to turn off public folders, the calendar, contacts, etc.. for certain users. This was either a registry
RE: OWA Design Question
Do the users eventually get a case of keyphobia? :) -Original Message- From: Schwartz, Jim [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:36 AM To: Exchange Discussions Subject: RE: OWA Design Question You can use ISA. It's not that hard to set up and works well. Added bonus for those with the need is the ability to add RSA authentication to the ISA server. Users must use a key fob to authenticate before they even get to the OWA boxes. You can also use another type of proxy server (Squid for instance) to proxy the connection from the DMZ. -Original Message- From: Bailey, Matthew [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:28 AM To: Exchange Discussions Subject: RE: OWA Design Question If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: Exchange 2003 OWA segmentation feature Date: Mon, 11 Aug 2003 11:01:25 -1000 Hi everyone: I'm looking for some information on a feature in Exchange 2003 and I have used up all of my ideas on how to find out more info. It was called OWA segmentation in Exchange 2000 and was introduced in Exchange 2000 SP2. It allowed you to turn off public folders, the calendar, contacts, etc.. for certain users. This was either a registry key or an attribute you had to add to the W2K AD. However, it is included in E2K3's schema extensions. However, I cannot find ANY information on the actual values. It is essentially a bit mask
OWA Design Question
Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: Exchange 2003 OWA segmentation feature Date: Mon, 11 Aug 2003 11:01:25 -1000 Hi everyone: I'm looking for some information on a feature in Exchange 2003 and I have used up all of my ideas on how to find out more info. It was called OWA segmentation in Exchange 2000 and was introduced in Exchange 2000 SP2. It allowed you to turn off public folders, the calendar, contacts, etc.. for certain users. This was either a registry key or an attribute you had to add to the W2K AD. However, it is included in E2K3's schema extensions. However, I cannot find ANY information on the actual values. It is essentially a bit mask, but I can't figure out what the bits mean. Below is the only text I have been able to find on it, and this was in the release notes. The schema attribute name is: msExchMailboxFolderSet I have a customer that is using this in E2K and we are building a 'proof-of-concept' lab for E2K3 and we cannot get this to work. It is driving me crazy and I'm almost thinking I need to open up a PSS incident just to get the documentation on this feature. I was hoping you might be able to find more documentation on this. Any ideas? Thanks, Jim McBee Per-user Feature Segmentation in Outlook Web Access May Require Modification of User Object to Use All Features Outlook Web Access allows you to enable specific sets of features on a server or for individual users. For example, you can enable only Calendar and Messaging. To set this feature segmentation per user, you modify the msExchMailboxFolderSet attribute on the User object in Active Directory. The value of this attribute determines which features are available to the user. In Exchange 2000, the decimal value for enabling all features on a per-user basis was 1023 (or 0x3FF in hexadecimal). In Exchange 2003, the value has changed. The new
RE: Exchange 2003 OWA Flaw?
This has taken a new turn... http://www.infoworld.com/article/03/11/21/HNmsflaw_1.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Woodruff, Michael Sent: Friday, November 21, 2003 9:25 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? Not that I am aware of. My boss just passed it on to me. I'm not a participate in that list. I just thought it was odd since that would be a huge flaw and Microsoft or anyone for that matter has said nothing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Friday, November 21, 2003 11:18 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? All seriousness aside, I know nothing about this issue. I'm inferring from the other responses to this thread that if two MVPs have no knowledge of the issue it probably doesn't exist. Mike W: Were there any follow-up posts on NTBUGTRAQ about this? -Original Message- From: Erik Sojka Sent: Friday, November 21, 2003 11:15 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? I saw a posting about it on NTBUGTRAQ.COM. Some guy had to shut off OWA indefinitely because of the issue. -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 11:10 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? So you have seen this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Friday, November 21, 2003 8:12 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? That's because Microsoft knows of the issue but does not have a fix yet. -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 11:10 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? I have not heard of it... Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Woodruff, Michael [mailto:[EMAIL PROTECTED] Posted At: Friday, November 21, 2003 10:57 AM Posted To: Exchange (Swynk) Conversation: Exchange 2003 OWA Flaw? Subject: Exchange 2003 OWA Flaw? Is this BS or has anyone else heard of this flaw? -Original Message- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Johnson Sent: Friday, November 14, 2003 10:24 PM To: [EMAIL PROTECTED] Subject: Exchange 2003 OWA major security flaw We have upgraded our servers to Microsoft Exchange 2003 and noticed a severe security issue with OWA. When you log in with your own credentials you may be logged into another user's mailbox at random and has full access to this user's mailbox. Microsoft knows of the issue but does not have a fix yet. I was wondering how many others have seen this issue and have received the same answer from Microsoft. This seems to be a major security flaw and we have had to shut off OWA indefinitely because of the issue. Matthew Johnson CCNA Network Administrator Investment Scorecard, Inc. 615.301.7611 [EMAIL PROTECTED] www.investmentscorecard.com http://www.investmentscorecard.com/ - Marcus Ranum's new book The Myth of Homeland Security is now out and is available from http://www.amazon.com/ranum In this hard-hitting review of the homeland security business, Ranum shows us how the problem is vastly harder than it's being made to sound, and how special interests, butt covering, and bureaucracy are threatening to derail any chance of making progress. - _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode= lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang = english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http
RE: Exchange 2003 OWA Flaw?
But... A preliminary investigation by Microsoft indicated that the issue occurs only with Kerberos authentication disabled, which the vendor said is uncommon. We recommend that our customers ensure that Kerberos authentication is enabled, which is the default configuration, Microsoft said in a statement Friday. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Blackstone Sent: Saturday, November 22, 2003 11:22 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? This has taken a new turn... http://www.infoworld.com/article/03/11/21/HNmsflaw_1.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Woodruff, Michael Sent: Friday, November 21, 2003 9:25 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? Not that I am aware of. My boss just passed it on to me. I'm not a participate in that list. I just thought it was odd since that would be a huge flaw and Microsoft or anyone for that matter has said nothing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Friday, November 21, 2003 11:18 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? All seriousness aside, I know nothing about this issue. I'm inferring from the other responses to this thread that if two MVPs have no knowledge of the issue it probably doesn't exist. Mike W: Were there any follow-up posts on NTBUGTRAQ about this? -Original Message- From: Erik Sojka Sent: Friday, November 21, 2003 11:15 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? I saw a posting about it on NTBUGTRAQ.COM. Some guy had to shut off OWA indefinitely because of the issue. -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 11:10 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? So you have seen this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Friday, November 21, 2003 8:12 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? That's because Microsoft knows of the issue but does not have a fix yet. -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 11:10 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? I have not heard of it... Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Woodruff, Michael [mailto:[EMAIL PROTECTED] Posted At: Friday, November 21, 2003 10:57 AM Posted To: Exchange (Swynk) Conversation: Exchange 2003 OWA Flaw? Subject: Exchange 2003 OWA Flaw? Is this BS or has anyone else heard of this flaw? -Original Message- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Johnson Sent: Friday, November 14, 2003 10:24 PM To: [EMAIL PROTECTED] Subject: Exchange 2003 OWA major security flaw We have upgraded our servers to Microsoft Exchange 2003 and noticed a severe security issue with OWA. When you log in with your own credentials you may be logged into another user's mailbox at random and has full access to this user's mailbox. Microsoft knows of the issue but does not have a fix yet. I was wondering how many others have seen this issue and have received the same answer from Microsoft. This seems to be a major security flaw and we have had to shut off OWA indefinitely because of the issue. Matthew Johnson CCNA Network Administrator Investment Scorecard, Inc. 615.301.7611 [EMAIL PROTECTED] www.investmentscorecard.com http://www.investmentscorecard.com/ - Marcus Ranum's new book The Myth of Homeland Security is now out and is available from http://www.amazon.com/ranum In this hard-hitting review of the homeland security business, Ranum shows us how the problem is vastly harder than it's being made to sound, and how special interests, butt covering, and bureaucracy are threatening to derail any chance of making progress. - _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode= lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang
RE: Exchange 2003 OWA Flaw?
But, one could argue that this should have been a documented scenario... I'm not saying one way or the other. Just that it has taken an interesting turn. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David N. Precht Sent: Saturday, November 22, 2003 9:05 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? But... A preliminary investigation by Microsoft indicated that the issue occurs only with Kerberos authentication disabled, which the vendor said is uncommon. We recommend that our customers ensure that Kerberos authentication is enabled, which is the default configuration, Microsoft said in a statement Friday. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Blackstone Sent: Saturday, November 22, 2003 11:22 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? This has taken a new turn... http://www.infoworld.com/article/03/11/21/HNmsflaw_1.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Woodruff, Michael Sent: Friday, November 21, 2003 9:25 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? Not that I am aware of. My boss just passed it on to me. I'm not a participate in that list. I just thought it was odd since that would be a huge flaw and Microsoft or anyone for that matter has said nothing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Friday, November 21, 2003 11:18 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? All seriousness aside, I know nothing about this issue. I'm inferring from the other responses to this thread that if two MVPs have no knowledge of the issue it probably doesn't exist. Mike W: Were there any follow-up posts on NTBUGTRAQ about this? -Original Message- From: Erik Sojka Sent: Friday, November 21, 2003 11:15 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? I saw a posting about it on NTBUGTRAQ.COM. Some guy had to shut off OWA indefinitely because of the issue. -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 11:10 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? So you have seen this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Friday, November 21, 2003 8:12 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? That's because Microsoft knows of the issue but does not have a fix yet. -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 11:10 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? I have not heard of it... Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Woodruff, Michael [mailto:[EMAIL PROTECTED] Posted At: Friday, November 21, 2003 10:57 AM Posted To: Exchange (Swynk) Conversation: Exchange 2003 OWA Flaw? Subject: Exchange 2003 OWA Flaw? Is this BS or has anyone else heard of this flaw? -Original Message- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Johnson Sent: Friday, November 14, 2003 10:24 PM To: [EMAIL PROTECTED] Subject: Exchange 2003 OWA major security flaw We have upgraded our servers to Microsoft Exchange 2003 and noticed a severe security issue with OWA. When you log in with your own credentials you may be logged into another user's mailbox at random and has full access to this user's mailbox. Microsoft knows of the issue but does not have a fix yet. I was wondering how many others have seen this issue and have received the same answer from Microsoft. This seems to be a major security flaw and we have had to shut off OWA indefinitely because of the issue. Matthew Johnson CCNA Network Administrator Investment Scorecard, Inc. 615.301.7611 [EMAIL PROTECTED] www.investmentscorecard.com http://www.investmentscorecard.com/ - Marcus Ranum's new book The Myth of Homeland Security is now out and is available from http://www.amazon.com/ranum In this hard-hitting review of the homeland security business, Ranum shows us how the problem is vastly harder than it's being made to sound, and how special interests, butt covering, and bureaucracy are threatening to derail any chance of making progress. - _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl
Exchange 2003 OWA Flaw?
Is this BS or has anyone else heard of this flaw? -Original Message- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Johnson Sent: Friday, November 14, 2003 10:24 PM To: [EMAIL PROTECTED] Subject: Exchange 2003 OWA major security flaw We have upgraded our servers to Microsoft Exchange 2003 and noticed a severe security issue with OWA. When you log in with your own credentials you may be logged into another user's mailbox at random and has full access to this user's mailbox. Microsoft knows of the issue but does not have a fix yet. I was wondering how many others have seen this issue and have received the same answer from Microsoft. This seems to be a major security flaw and we have had to shut off OWA indefinitely because of the issue. Matthew Johnson CCNA Network Administrator Investment Scorecard, Inc. 615.301.7611 [EMAIL PROTECTED] www.investmentscorecard.com http://www.investmentscorecard.com/ - Marcus Ranum's new book The Myth of Homeland Security is now out and is available from http://www.amazon.com/ranum In this hard-hitting review of the homeland security business, Ranum shows us how the problem is vastly harder than it's being made to sound, and how special interests, butt covering, and bureaucracy are threatening to derail any chance of making progress. - _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Exchange 2003 OWA Flaw?
I have not heard of it... Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Woodruff, Michael [mailto:[EMAIL PROTECTED] Posted At: Friday, November 21, 2003 10:57 AM Posted To: Exchange (Swynk) Conversation: Exchange 2003 OWA Flaw? Subject: Exchange 2003 OWA Flaw? Is this BS or has anyone else heard of this flaw? -Original Message- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Johnson Sent: Friday, November 14, 2003 10:24 PM To: [EMAIL PROTECTED] Subject: Exchange 2003 OWA major security flaw We have upgraded our servers to Microsoft Exchange 2003 and noticed a severe security issue with OWA. When you log in with your own credentials you may be logged into another user's mailbox at random and has full access to this user's mailbox. Microsoft knows of the issue but does not have a fix yet. I was wondering how many others have seen this issue and have received the same answer from Microsoft. This seems to be a major security flaw and we have had to shut off OWA indefinitely because of the issue. Matthew Johnson CCNA Network Administrator Investment Scorecard, Inc. 615.301.7611 [EMAIL PROTECTED] www.investmentscorecard.com http://www.investmentscorecard.com/ - Marcus Ranum's new book The Myth of Homeland Security is now out and is available from http://www.amazon.com/ranum In this hard-hitting review of the homeland security business, Ranum shows us how the problem is vastly harder than it's being made to sound, and how special interests, butt covering, and bureaucracy are threatening to derail any chance of making progress. - _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Exchange 2003 OWA Flaw?
That's because Microsoft knows of the issue but does not have a fix yet. -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 11:10 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? I have not heard of it... Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Woodruff, Michael [mailto:[EMAIL PROTECTED] Posted At: Friday, November 21, 2003 10:57 AM Posted To: Exchange (Swynk) Conversation: Exchange 2003 OWA Flaw? Subject: Exchange 2003 OWA Flaw? Is this BS or has anyone else heard of this flaw? -Original Message- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Johnson Sent: Friday, November 14, 2003 10:24 PM To: [EMAIL PROTECTED] Subject: Exchange 2003 OWA major security flaw We have upgraded our servers to Microsoft Exchange 2003 and noticed a severe security issue with OWA. When you log in with your own credentials you may be logged into another user's mailbox at random and has full access to this user's mailbox. Microsoft knows of the issue but does not have a fix yet. I was wondering how many others have seen this issue and have received the same answer from Microsoft. This seems to be a major security flaw and we have had to shut off OWA indefinitely because of the issue. Matthew Johnson CCNA Network Administrator Investment Scorecard, Inc. 615.301.7611 [EMAIL PROTECTED] www.investmentscorecard.com http://www.investmentscorecard.com/ - Marcus Ranum's new book The Myth of Homeland Security is now out and is available from http://www.amazon.com/ranum In this hard-hitting review of the homeland security business, Ranum shows us how the problem is vastly harder than it's being made to sound, and how special interests, butt covering, and bureaucracy are threatening to derail any chance of making progress. - _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang= english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Exchange 2003 OWA Flaw?
So you have seen this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Friday, November 21, 2003 8:12 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? That's because Microsoft knows of the issue but does not have a fix yet. -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 11:10 AM To: Exchange Discussions Subject: RE: Exchange 2003 OWA Flaw? I have not heard of it... Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Woodruff, Michael [mailto:[EMAIL PROTECTED] Posted At: Friday, November 21, 2003 10:57 AM Posted To: Exchange (Swynk) Conversation: Exchange 2003 OWA Flaw? Subject: Exchange 2003 OWA Flaw? Is this BS or has anyone else heard of this flaw? -Original Message- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Johnson Sent: Friday, November 14, 2003 10:24 PM To: [EMAIL PROTECTED] Subject: Exchange 2003 OWA major security flaw We have upgraded our servers to Microsoft Exchange 2003 and noticed a severe security issue with OWA. When you log in with your own credentials you may be logged into another user's mailbox at random and has full access to this user's mailbox. Microsoft knows of the issue but does not have a fix yet. I was wondering how many others have seen this issue and have received the same answer from Microsoft. This seems to be a major security flaw and we have had to shut off OWA indefinitely because of the issue. Matthew Johnson CCNA Network Administrator Investment Scorecard, Inc. 615.301.7611 [EMAIL PROTECTED] www.investmentscorecard.com http://www.investmentscorecard.com/ - Marcus Ranum's new book The Myth of Homeland Security is now out and is available from http://www.amazon.com/ranum In this hard-hitting review of the homeland security business, Ranum shows us how the problem is vastly harder than it's being made to sound, and how special interests, butt covering, and bureaucracy are threatening to derail any chance of making progress. - _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang = english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]