RE: OWA users logging into wrong Mailbox
Hello, Bug / Setup quirk: http://www.microsoft.com/exchange/support/e2k3owa.asp (posted earlier to this list by David Lemson, 11/27/03) Brent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Posted At: Thursday, January 08, 2004 6:31 PM Posted To: MS Exchange List Conversation: OWA users logging into wrong Mailbox Subject: RE: OWA users logging into wrong Mailbox What bug are you aware of? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MS Exchange List Sent: Thursday, January 08, 2004 5:25 PM To: Exchange Discussions Subject: OWA users logging into wrong Mailbox Hello, FWIW: We just had a situation where some users were complaining that when they logged into OWA they were getting other users Mailboxes. I'm aware of a bug like this in 2003, but we're running E2K. Turned out a WEB Cache had been put on one part of a remote network. This did not effect people who came in over https , just http non-ssl connections. Brent _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
RE: OWA users logging into wrong Mailbox
What bug are you aware of? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MS Exchange List Sent: Thursday, January 08, 2004 5:25 PM To: Exchange Discussions Subject: OWA users logging into wrong Mailbox Hello, FWIW: We just had a situation where some users were complaining that when they logged into OWA they were getting other users Mailboxes. I'm aware of a bug like this in 2003, but we're running E2K. Turned out a WEB Cache had been put on one part of a remote network. This did not effect people who came in over https , just http non-ssl connections. Brent _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
RE: OWA 5.5 - Active Directory
That is a good question We are a Law Firm and we have several attorneys that refuse to give up the Exchange 5.5 OWA - they state Exchange 2000 OWA is too slow and unusable... So, we wanted to offer up both for a period of time - to slowly wean them away from 5.5, while still switching to native mode. On the other hand we have several other folks who love the new OWA and it's rich feature set... Is the dumbing down of OWA 2000 done on a per user basis, or is it all or nothing? Thanks -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 2:56 PM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory When you go native, what are you going to need 5.5 OWA for? Besides, you can dumb down 2000 OWA to make it feel like 5.5 OWA (that's what Netscape browsers see when they connect to 2000 OWA) -Original Message- From: Miller, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:50 PM To: Exchange Discussions Subject: OWA 5.5 - Active Directory All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode= lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
RE: OWA 5.5 - Active Directory
Thanks for the reply... I actually confirmed just that last night in the lab. I brought up a separate native mode environment with an OWA 5.5 server.. New users were not able to access their mailboxes, while users created before the switch continued to work Thanks again -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:13 PM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory If you mean native mode Exchange, then yes, OWA 5.5 will break. It will still work for user IDs that were created BEFORE you went native, but will not work for users created AFTER you go native. I think the ADC might be involved in this equation somehow, but I remember this problem bit us hard. OWA 5.5 needs some attributes set in AD which no longer get set after you go native (or was it after you stop ADC - can't remember). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, January 06, 2004 3:56 PM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory When you go native, what are you going to need 5.5 OWA for? Besides, you can dumb down 2000 OWA to make it feel like 5.5 OWA (that's what Netscape browsers see when they connect to 2000 OWA) -Original Message- From: Miller, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:50 PM To: Exchange Discussions Subject: OWA 5.5 - Active Directory All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode= lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
RE: OWA 5.5 - Active Directory
OWA 200x dumbs down based on the version of the browser. However, it doesn't look like OWA 5.5. Maybe this is the excuse you need to upgrade to Exchange 2003. OWA 2003 rocks! Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miller, Robert Sent: Wednesday, January 07, 2004 8:01 AM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory That is a good question We are a Law Firm and we have several attorneys that refuse to give up the Exchange 5.5 OWA - they state Exchange 2000 OWA is too slow and unusable... So, we wanted to offer up both for a period of time - to slowly wean them away from 5.5, while still switching to native mode. On the other hand we have several other folks who love the new OWA and it's rich feature set... Is the dumbing down of OWA 2000 done on a per user basis, or is it all or nothing? Thanks -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 2:56 PM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory When you go native, what are you going to need 5.5 OWA for? Besides, you can dumb down 2000 OWA to make it feel like 5.5 OWA (that's what Netscape browsers see when they connect to 2000 OWA) -Original Message- From: Miller, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:50 PM To: Exchange Discussions Subject: OWA 5.5 - Active Directory All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode= lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
RE: OWA 5.5 - Active Directory
It does not look exactly like 5.5 OWA but retains the same feel and probably loads faster. Another way to dumb down 2000 OWA is segmentation. You basically go to ADSI Edit, go to the user's properties, and find the certain field (can't remember its name off the top of my head), and set its value to a certain number. There are different number combinations that will cause only certain folders to show up in OWA. For example you can limit OWA to only display Inbox, Sent Items, and Calendar. Search Google for OWA segmentation. Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:56 AM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory OWA 200x dumbs down based on the version of the browser. However, it doesn't look like OWA 5.5. Maybe this is the excuse you need to upgrade to Exchange 2003. OWA 2003 rocks! Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miller, Robert Sent: Wednesday, January 07, 2004 8:01 AM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory That is a good question We are a Law Firm and we have several attorneys that refuse to give up the Exchange 5.5 OWA - they state Exchange 2000 OWA is too slow and unusable... So, we wanted to offer up both for a period of time - to slowly wean them away from 5.5, while still switching to native mode. On the other hand we have several other folks who love the new OWA and it's rich feature set... Is the dumbing down of OWA 2000 done on a per user basis, or is it all or nothing? Thanks -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 2:56 PM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory When you go native, what are you going to need 5.5 OWA for? Besides, you can dumb down 2000 OWA to make it feel like 5.5 OWA (that's what Netscape browsers see when they connect to 2000 OWA) -Original Message- From: Miller, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:50 PM To: Exchange Discussions Subject: OWA 5.5 - Active Directory All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode= lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016
RE: OWA 5.5 - Active Directory
When you go native, what are you going to need 5.5 OWA for? Besides, you can dumb down 2000 OWA to make it feel like 5.5 OWA (that's what Netscape browsers see when they connect to 2000 OWA) -Original Message- From: Miller, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:50 PM To: Exchange Discussions Subject: OWA 5.5 - Active Directory All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA 5.5 - Active Directory
If you mean native mode Exchange, then yes, OWA 5.5 will break. It will still work for user IDs that were created BEFORE you went native, but will not work for users created AFTER you go native. I think the ADC might be involved in this equation somehow, but I remember this problem bit us hard. OWA 5.5 needs some attributes set in AD which no longer get set after you go native (or was it after you stop ADC - can't remember). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, January 06, 2004 3:56 PM To: Exchange Discussions Subject: RE: OWA 5.5 - Active Directory When you go native, what are you going to need 5.5 OWA for? Besides, you can dumb down 2000 OWA to make it feel like 5.5 OWA (that's what Netscape browsers see when they connect to 2000 OWA) -Original Message- From: Miller, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 3:50 PM To: Exchange Discussions Subject: OWA 5.5 - Active Directory All, We just finished migrating all of our Exchange 5.5 servers to Exchange 2000, and are still in mixed mode. I have my 3 original OWA 5.5 servers online, pointing to an Active Directory servers for lookups. I also have 3 Exchange 2000 Front End servers online serving up OWA 2000. And to clarify, I have a requirement to keep both versions of OWA running for an extended period of time. The current configuration works quite well. I would like to begin the steps of going to native mode. My question is - when I flip the switch to native mode is there any chance that the 5.5 OWA functionality will break? I spoke with Microsoft regarding this and the final conclusion was that they had no idea... I am in the process of building up a native mode environment in the lab to test this, but figured I would throw it out to the list in hopes that someone else has already tried this TIA _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
Okay, bad, bad evil things just happened. I re-ran the IISLockdown tool to undo the normal settings. Now, NO ONE can get logged into OWA, including Admin. I just keep getting prompted for user/pass. Outlook still works fine, and mail still seems to be flowing. Remote users are burning up the phone line I checked the permissions on the files before doing this, and everything looked fine. Is there a way to reinstall OWA on SBS without a lot of grief? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edgington, Jeff Sent: Thursday, December 18, 2003 1:00 PM To: Exchange Discussions Subject: RE: OWA - File not found when logging out This is definitely a permissions problem (we had the same trouble)... I remember having to modify the permission on this file... but I will need to look for my notes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Thursday, December 18, 2003 9:36 AM To: Exchange Discussions Subject: RE: OWA - File not found when logging out 404 errors like that might be related to URLScan. Do you have that installed? If so, the default settings on URLscan shouldn't clobber the logoff.asp page though... -Original Message- From: Pat Richard [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
Okay Got things pretty much squared away by restarting all the services including System Attendant, and it looks like everyone can get logged in. The one remaining issue is that one user has several (4-5 afaik) emails in his Inbox that come up as FILE NOT FOUND when viewing them in OWA. They all have valid subjects, etc. I'm checking into that further -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pat Richard Sent: Monday, December 22, 2003 1:03 PM To: Exchange Discussions Subject: RE: OWA - File not found when logging out Okay, bad, bad evil things just happened. I re-ran the IISLockdown tool to undo the normal settings. Now, NO ONE can get logged into OWA, including Admin. I just keep getting prompted for user/pass. Outlook still works fine, and mail still seems to be flowing. Remote users are burning up the phone line I checked the permissions on the files before doing this, and everything looked fine. Is there a way to reinstall OWA on SBS without a lot of grief? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edgington, Jeff Sent: Thursday, December 18, 2003 1:00 PM To: Exchange Discussions Subject: RE: OWA - File not found when logging out This is definitely a permissions problem (we had the same trouble)... I remember having to modify the permission on this file... but I will need to look for my notes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sojka Sent: Thursday, December 18, 2003 9:36 AM To: Exchange Discussions Subject: RE: OWA - File not found when logging out 404 errors like that might be related to URLScan. Do you have that installed? If so, the default settings on URLscan shouldn't clobber the logoff.asp page though... -Original Message- From: Pat Richard [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
You must Die for asking a Technical question rather than an ethics question on this board. :) _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pat Richard Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
Could it be a permissions issue (NTFS permissions on the file)? Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Pat Richard [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
ROLMAO thanks, John, that was a good one. Paul Chinnery Network Administrator Mem Med Ctr -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 9:39 AM To: Exchange Discussions Subject: RE: OWA - File not found when logging out You must Die for asking a Technical question rather than an ethics question on this board. :) _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pat Richard Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
Gawd, don't get that thread started up again! While reading the last few Deckerisms, for a moment I actually lost the will to live. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 8:39 AM To: Exchange Discussions Subject: RE: OWA - File not found when logging out You must Die for asking a Technical question rather than an ethics question on this board. :) _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pat Richard Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
You should probably open the IIS admin snap-in and check the permissions on the file. I think that it probably needs script execute access. Although I'm not sure how that could have gotten messed up. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Pat Richard [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 8:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
I know, I started deleting the whole string as they filed in one by one. Tired of hearing someone trying to preach over the internet. Get a damn life man. _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric Fretz Sent: Thursday, December 18, 2003 10:25 AM To: Exchange Discussions Subject: RE: OWA - File not found when logging out Gawd, don't get that thread started up again! While reading the last few Deckerisms, for a moment I actually lost the will to live. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 8:39 AM To: Exchange Discussions Subject: RE: OWA - File not found when logging out You must Die for asking a Technical question rather than an ethics question on this board. :) _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pat Richard Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - File not found when logging out
404 errors like that might be related to URLScan. Do you have that installed? If so, the default settings on URLscan shouldn't clobber the logoff.asp page though... -Original Message- From: Pat Richard [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 9:37 AM To: Exchange Discussions Subject: OWA - File not found when logging out Greetings! We've got a client with a fairly new 2000 SBS box. Exchange SP3 and the post SP3 rollup are installed. For some reason, when logging out of OWA, the logout page (To complete the logout) is missing. The file (/exchweb/bin/USA/logoff.asp) DOES exist in the folder, it's just not displayed, with the server reporting it as a 404 error. All other features of OWA work fine (as far as I can tell - no reported issues). Anyone seen this before? I'm not aware of anyone tinkering with the server, and the IIS stuff looks ok. I've tried Googling and KB'ing this, but didn't come up with anything. Thoughts, comments, suggestions, and death threats are all welcome. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA 5.5
Yea - we're single domain, two sites, and it works well -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 12:34 PM To: Exchange Discussions Subject: RE: OWA 5.5 Very true. The problem with this usually comes because of separate domains with trust issues. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, December 16, 2003 5:30 AM To: Exchange Discussions Subject: RE: OWA 5.5 I have one for our two sites here - there's no additional configuration necessary - as long as the OWA box has connectivity to all sites. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bourque Daniel [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 7:31 AM To: Exchange Discussions Subject: OWA 5.5 I read somewhere that it was possible to use one IIS server to front multiple Exchange 5.5 servers, member of different Exchange sites. Is it true? If yes, can you point me in the right direction on how to implement this? Thank you. Daniel _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE : OWA 5.5
Yes, I finally got a test account on an Exch 5.5 server in another site and it work fine. Thank you all -Message d'origine- De : Roger Seielstad [mailto:[EMAIL PROTECTED] Envoyé : 17 décembre, 2003 07:42 À : Exchange Discussions Objet : RE: OWA 5.5 Yea - we're single domain, two sites, and it works well -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 12:34 PM To: Exchange Discussions Subject: RE: OWA 5.5 Very true. The problem with this usually comes because of separate domains with trust issues. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, December 16, 2003 5:30 AM To: Exchange Discussions Subject: RE: OWA 5.5 I have one for our two sites here - there's no additional configuration necessary - as long as the OWA box has connectivity to all sites. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bourque Daniel [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 7:31 AM To: Exchange Discussions Subject: OWA 5.5 I read somewhere that it was possible to use one IIS server to front multiple Exchange 5.5 servers, member of different Exchange sites. Is it true? If yes, can you point me in the right direction on how to implement this? Thank you. Daniel _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA 5.5
I have one for our two sites here - there's no additional configuration necessary - as long as the OWA box has connectivity to all sites. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bourque Daniel [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 7:31 AM To: Exchange Discussions Subject: OWA 5.5 I read somewhere that it was possible to use one IIS server to front multiple Exchange 5.5 servers, member of different Exchange sites. Is it true? If yes, can you point me in the right direction on how to implement this? Thank you. Daniel _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA 5.5
Very true. The problem with this usually comes because of separate domains with trust issues. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, December 16, 2003 5:30 AM To: Exchange Discussions Subject: RE: OWA 5.5 I have one for our two sites here - there's no additional configuration necessary - as long as the OWA box has connectivity to all sites. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bourque Daniel [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 7:31 AM To: Exchange Discussions Subject: OWA 5.5 I read somewhere that it was possible to use one IIS server to front multiple Exchange 5.5 servers, member of different Exchange sites. Is it true? If yes, can you point me in the right direction on how to implement this? Thank you. Daniel _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE : OWA 5.5
Thank you. In our setup, there is a different Exchange 5.5 site per W2K domains, all part of the same AD tree. The setup will be: - Reverse proxy in the outside DMZ with access only to the IIS server - IIS server in an internal DMZ with specific access only to DC (DNS/Authentication) and Exch servers in the organisation. -Message d'origine- De : Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Envoyé : 16 décembre, 2003 12:34 À : Exchange Discussions Objet : RE: OWA 5.5 Very true. The problem with this usually comes because of separate domains with trust issues. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, December 16, 2003 5:30 AM To: Exchange Discussions Subject: RE: OWA 5.5 I have one for our two sites here - there's no additional configuration necessary - as long as the OWA box has connectivity to all sites. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Bourque Daniel [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 7:31 AM To: Exchange Discussions Subject: OWA 5.5 I read somewhere that it was possible to use one IIS server to front multiple Exchange 5.5 servers, member of different Exchange sites. Is it true? If yes, can you point me in the right direction on how to implement this? Thank you. Daniel _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
Actually, you can't snoop the SSL traffic. Ok, you can, but its worthless. I'd suggest an SSL accelerator (either hardware or software) sitting in the DMZ, passing unencrypted traffic between the DMZ and a front end server on the internal network. We've been doing that for about 18 months without any issues (albiet in an Ex5.5 environment, but that shouldn't matter). I'd also suggest a front end server dedicated to OWA, as that's an additional layer of protection. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 8:42 PM To: Exchange Discussions Subject: RE: OWA and SMTP Those are very powerful seven (your number--I haven't counted) ports. You're pretty safe by allowing only SSL into OWA, enforcing a strong password policy, and watching the traffic that passes through the firewall. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Wednesday, December 10, 2003 7:15 AM To: Exchange Discussions Subject: RE: OWA and SMTP Ed, It takes 7 ports from front end server for windows 2000 communication plus the exchange ports to make it work. So my only argument is that if the front end box gets compromised, hackers has access to those seven ports and wherever they terminate. However my putting the front end server on the LAN, there is not telling where the bad guys will have access if the front end server is compromised. And please don't get me wrong, I understand that the ports required for Win2k are significant ports. However ISA might be a good solution too, I will look into it. Thanks Davinder -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:00 PM To: Exchange Discussions Subject: RE: OWA and SMTP There's a whitepaper on the Exchange 2000 web site about using ISA. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Tuesday, December 09, 2003 8:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Can you point me to those articles/white papers etc. ?? I would like to look into the possibility of using ISA and keeping FE server in DMZ. Thanks Davinder -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta
RE: OWA and SMTP
Because Microsoft and Security are synonymous, of course! If one chooses to put their FE server in the DMZ, open the bazillion ports required to connect to the BE server and the FE server gets compromised in any way. You have just opened the door to your internal network. Some might say, the same about putting the FE directly on the same LAN as the BE server, but at least you'll go down knowing that you weren't operating under a false sense of security. Putting the FE in a DMZ will only make you feel all warm and fuzzy till the box gets compromised. Putting the FE on your LAN at least makes you more aware that the threat is there and you're only opening 2-3 ports versus about 20. -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does
RE: OWA and SMTP
No, it should be on the edge of your network... ;o) -Original Message- From: David, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 3:11 PM To: Exchange Discussions Subject: RE: OWA and SMTP Shouldn't the ISA server be in the DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying
RE: OWA and SMTP
Davinder, What are the 7 ports? Might they not be more risk than just 25 and 443? Risks are all around us, it's up to us to determine what level of risk we're willing to accept... -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 10:15 AM To: Exchange Discussions Subject: RE: OWA and SMTP Ed, It takes 7 ports from front end server for windows 2000 communication plus the exchange ports to make it work. So my only argument is that if the front end box gets compromised, hackers has access to those seven ports and wherever they terminate. However my putting the front end server on the LAN, there is not telling where the bad guys will have access if the front end server is compromised. And please don't get me wrong, I understand that the ports required for Win2k are significant ports. However ISA might be a good solution too, I will look into it. Thanks Davinder -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:00 PM To: Exchange Discussions Subject:RE: OWA and SMTP There's a whitepaper on the Exchange 2000 web site about using ISA. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Tuesday, December 09, 2003 8:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Can you point me to those articles/white papers etc. ?? I would like to look into the possibility of using ISA and keeping FE server in DMZ. Thanks Davinder -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject:RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured
RE: OWA and SMTP
But you don't have to open those 20 ports to the entire world. You can only specify that the FE should be able to talk to the BE and the DCs. I agree - it is more work to set up and maintain. Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Ely, Don [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 9:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Because Microsoft and Security are synonymous, of course! If one chooses to put their FE server in the DMZ, open the bazillion ports required to connect to the BE server and the FE server gets compromised in any way. You have just opened the door to your internal network. Some might say, the same about putting the FE directly on the same LAN as the BE server, but at least you'll go down knowing that you weren't operating under a false sense of security. Putting the FE in a DMZ will only make you feel all warm and fuzzy till the box gets compromised. Putting the FE on your LAN at least makes you more aware that the threat is there and you're only opening 2-3 ports versus about 20. -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581
RE: OWA and SMTP
Well, of course, but what if the FE gets compromised? It's still allowed to talk to the BE and DC's, right? Problem still exists... We can all debate this till we're blue in the face, but the fact is, putting an FE server in the DMZ only gives you a false sense of security. It's no more or no less secure than putting the FE directly on the LAN... Now an SMTP relay by itself in the DMZ is no biggie... But leave OWA protected as best you can... -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 9:49 AM To: Exchange Discussions Subject: RE: OWA and SMTP But you don't have to open those 20 ports to the entire world. You can only specify that the FE should be able to talk to the BE and the DCs. I agree - it is more work to set up and maintain. Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Ely, Don [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 9:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Because Microsoft and Security are synonymous, of course! If one chooses to put their FE server in the DMZ, open the bazillion ports required to connect to the BE server and the FE server gets compromised in any way. You have just opened the door to your internal network. Some might say, the same about putting the FE directly on the same LAN as the BE server, but at least you'll go down knowing that you weren't operating under a false sense of security. Putting the FE in a DMZ will only make you feel all warm and fuzzy till the box gets compromised. Putting the FE on your LAN at least makes you more aware that the threat is there and you're only opening 2-3 ports versus about 20. -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510
RE: OWA and SMTP
Whenever I've partnered with Microsoft Consulting Services, they've agreed with me that it isn't the best idea to put front-end servers in the DMZ. But some organizations are hell-bent on doing it their way. It isn't that it's the Microsoft Way, but if a customer demands it their way, Microsoft is being customer-focused to help them not screw it up too bad. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Blackstone Sent: Tuesday, December 09, 2003 8:24 AM To: Exchange Discussions Subject: RE: OWA and SMTP Or my favorite: There is the right way, the wrong way, or the Microsoft way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP I'm reminded of the character Yogourt in Spaceballs the Movie, It's all about the merchandising. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA
RE: OWA and SMTP
There's a whitepaper on the Exchange 2000 web site about using ISA. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Tuesday, December 09, 2003 8:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Can you point me to those articles/white papers etc. ?? I would like to look into the possibility of using ISA and keeping FE server in DMZ. Thanks Davinder -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject:RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from
RE: OWA and SMTP
Ed, It takes 7 ports from front end server for windows 2000 communication plus the exchange ports to make it work. So my only argument is that if the front end box gets compromised, hackers has access to those seven ports and wherever they terminate. However my putting the front end server on the LAN, there is not telling where the bad guys will have access if the front end server is compromised. And please don't get me wrong, I understand that the ports required for Win2k are significant ports. However ISA might be a good solution too, I will look into it. Thanks Davinder -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:00 PM To: Exchange Discussions Subject:RE: OWA and SMTP There's a whitepaper on the Exchange 2000 web site about using ISA. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Tuesday, December 09, 2003 8:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Can you point me to those articles/white papers etc. ?? I would like to look into the possibility of using ISA and keeping FE server in DMZ. Thanks Davinder -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject:RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier
RE: OWA and SMTP
Those are very powerful seven (your number--I haven't counted) ports. You're pretty safe by allowing only SSL into OWA, enforcing a strong password policy, and watching the traffic that passes through the firewall. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Wednesday, December 10, 2003 7:15 AM To: Exchange Discussions Subject: RE: OWA and SMTP Ed, It takes 7 ports from front end server for windows 2000 communication plus the exchange ports to make it work. So my only argument is that if the front end box gets compromised, hackers has access to those seven ports and wherever they terminate. However my putting the front end server on the LAN, there is not telling where the bad guys will have access if the front end server is compromised. And please don't get me wrong, I understand that the ports required for Win2k are significant ports. However ISA might be a good solution too, I will look into it. Thanks Davinder -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:00 PM To: Exchange Discussions Subject:RE: OWA and SMTP There's a whitepaper on the Exchange 2000 web site about using ISA. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davinder Gupta Sent: Tuesday, December 09, 2003 8:30 AM To: Exchange Discussions Subject: RE: OWA and SMTP Can you point me to those articles/white papers etc. ?? I would like to look into the possibility of using ISA and keeping FE server in DMZ. Thanks Davinder -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject:RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do
RE: OWA and SMTP
You are going down a road that you do not want to go down. You understand that in order to be a FE server, you have to be running Exchange Enterprise edition, right? (ok, if you run Exchange 2003, you can run Standard edition) The only ports you would have to open up from the outside to the FE server would be 25, 80 and/or 443. However, the problem is that you must open up additional ports betweeen the FE server and the BE server, and between the FE server and the DC/GC's. Opening these ports makes it not worth it to place it in the DMZ. Now, if you just want to place a SMTP Relay server (don't mistake that term for Open relay) in the DMZ, that is much safer to do. So, what is your end goal here? FE/BE setup, or SMTP Relay server? Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Monday, December 08, 2003 8:23 PM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
He did not indicate which ports he needed to have open and on which side the needed to be open to. For example, 80 and 443 need to be open to the internet to allow external host to use OWA. The others need to be open between the DMZ and internal lan to allow the FE server to do GC looksups, etc Sorry for the confusion. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm
RE: OWA and SMTP
I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin
RE: OWA and SMTP
Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl
RE: OWA and SMTP
Isn't Exchange 2003 more IPSec-friendly? But if you work on it carefully, you should be able to get Exchange 2000 going with IPSec too. -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:46 AM To: Exchange Discussions Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter
RE: OWA and SMTP
Could you be a little more specific about the careful part?? -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:50 AM To: Exchange Discussions Subject:RE: OWA and SMTP Isn't Exchange 2003 more IPSec-friendly? But if you work on it carefully, you should be able to get Exchange 2000 going with IPSec too. -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:46 AM To: Exchange Discussions Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:10 AM To: Exchange Discussions Subject: RE: OWA and SMTP Its much more extensive than that when putting the FE in the DMZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 5:55 AM To: Exchange Discussions Subject: RE: OWA and SMTP 80(HTTP), 443(SSL) and a few others. Check out kb# 280132 Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 7:23 PM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy
RE: OWA and SMTP
What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did not intend to make it sound that easy. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL
RE: OWA and SMTP
I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP He just asked for the ports and I pointed him to the kb on open ports. I agree that putting a Front End in a DMZ is no walk in the park and did
RE: OWA and SMTP
Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would not especially want opened on my firewall. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:09 AM Posted
RE: OWA and SMTP
Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC/GC servers. While the article seems to point out the correct ports, the post was misleading in saying that only 80/443 and a few others. Those few other ports (esp. 135, and the LDAP ports) are something I would
RE: OWA and SMTP
I'm reminded of the character Yogourt in Spaceballs the Movie, It's all about the merchandising. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports
RE: OWA and SMTP
Or my favorite: There is the right way, the wrong way, or the Microsoft way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP I'm reminded of the character Yogourt in Spaceballs the Movie, It's all about the merchandising. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server
RE: OWA and SMTP
Can you point me to those articles/white papers etc. ?? I would like to look into the possibility of using ISA and keeping FE server in DMZ. Thanks Davinder -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 8:17 AM To: Exchange Discussions Subject:RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more
RE: OWA and SMTP
Shouldn't the ISA server be in the DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 11:17 AM To: Exchange Discussions Subject: RE: OWA and SMTP Don't they show ISA in there as well? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey Sent: Tuesday, December 09, 2003 8:13 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why do Microsoft FE/BE whitepapers show FE in DMZ? -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 10:58 AM To: Exchange Discussions Subject: RE: OWA and SMTP I couldn't have said it better myself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Winzenz Sent: Tuesday, December 09, 2003 7:56 AM To: Exchange Discussions Subject: RE: OWA and SMTP What I don't understand is why everyone thinks that placing their FE server in a DMZ is a more secure/better way/whatever have you. IMHO, it is not. I don't understand what you think you are going to be gaining by placing it there other than increased headache for the setup and troubleshooting. Some may offer the argument that if your FE server gets hacked, it is somewhat isolated. Let's be honest. With the ports that are required to be open between the FE and BE, if someone hacks your FE server, they can own your internal network whether the FE is in a DMZ or not. I'm just not convinced that there is a need to place FE servers in the DMZ. That, plus I seem to remember that it is now Microsoft's suggestion to NOT place the FE server in the DMZ. I'll see if I can find the reference to that. Davinder, you are, of course, welcome to deploy this how you see fit. It is, after all, your network, not mine. Ultimately, if you feel it is a better setup to place your FE server in your DMZ, then do that. I'm just trying to offer feedback. As far as 5.5, that is a different scenario altogether. 5.5 would allow you to install OWA separate from the Exchange mailbox server. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 10:45 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Thanks everybody for replying. The plan is exactly to open 443 from outside and required ports for GC/LDAP and required ports for BE server. The DMZ is separate physical network (VLAN) and Firewall is going to allow these specific kind of traffic only to required specific servers on inside network. You guys seem very concerned with that which I respectfully don't understand. Also this is exactly what we did in exchange 5.5, right?? Or another idea might be to create an IPSec tunnel between FE server and DCs and limit the number of ports that way, ideas? Thanks Davinder -Original Message- From: Eric Fretz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 7:20 AM To: Exchange Discussions Subject:RE: OWA and SMTP I totally agree. It is much easier to do extensive logging (and packet filtering, for that matter) with a good layered firewall, as opposed to locking down IIS (and Windows) to accept connections in an unsecured zone. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:20 AM To: Exchange Discussions Subject: RE: OWA and SMTP Why go through the hassle? It is much easier (and just as secure) to simply put the FE server inside your network, open up port 443 and 25 to the FE server (I would not open port 80 for OWA), and that is all you should have to do. If you want to be even more secure, use something like ISA server to publish the FE OWA server. There are some servers that belong on a DMZ. A FE OWA server is not one of them. Ben Winzenz Network Engineer Gardner White (317) 581-1580 ext 418 -Original Message- From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] Posted At: Tuesday, December 09, 2003 9:36 AM Posted To: Exchange (Swynk) Conversation: OWA and SMTP Subject: RE: OWA and SMTP Have FE and BE on separate VLANs and set up access lists on the routers allowing just the back-end VLAN to only accept traffic from the front-end VLAN if it is coming from the FE server, and only the specified ports. How does that sound? -Original Message- From: Ben Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 9:29 AM To: Exchange Discussions Subject: RE: OWA and SMTP What Martin is saying is that those are not the only ports you have to open. There are MANY more that are required to be opened to allow for communication between the FE server and the BE server, and communication betweent the FE server and the DC
RE: OWA and SMTP
Depending on what kind of setup you'll be doing and what type of security you're going to be implementing. But for starters you want to atleast open port 25 (SMTP traffic) and 443 (for SSL). _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Davinder Gupta Sent: Monday, December 08, 2003 10:58 AM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
There are a bunch of Exchange hosting whitepapers that discuss front-end/back-end deployment including which ports need to be open. Look at http://www.microsoft.com/isn Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 10:58 AM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
Of course, I want it be secure. The external ports you mentions are good. How about this server talking to other exchange 2k servers and Win2k DC's inside? Can we still fix the exchange ports like we did in 5.5? -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 8:02 AM To: Exchange Discussions Subject:RE: OWA and SMTP Depending on what kind of setup you'll be doing and what type of security you're going to be implementing. But for starters you want to atleast open port 25 (SMTP traffic) and 443 (for SSL). _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Davinder Gupta Sent: Monday, December 08, 2003 10:58 AM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and SMTP
There are KB articles about static port mappings in Exchange 2000. -Original Message- From: Davinder Gupta [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 11:08 AM To: Exchange Discussions Subject: RE: OWA and SMTP Of course, I want it be secure. The external ports you mentions are good. How about this server talking to other exchange 2k servers and Win2k DC's inside? Can we still fix the exchange ports like we did in 5.5? -Original Message- From: Bowles, John (OIG/OMP) [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 8:02 AM To: Exchange Discussions Subject:RE: OWA and SMTP Depending on what kind of setup you'll be doing and what type of security you're going to be implementing. But for starters you want to atleast open port 25 (SMTP traffic) and 443 (for SSL). _ John Bowles Exchange Engineer OIG/HHS [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Davinder Gupta Sent: Monday, December 08, 2003 10:58 AM To: Exchange Discussions Subject: OWA and SMTP I am setting up a Windows 2000 member server in DMZ, which will be our SMTP and OWA front end server. Which ports do I need to open to make this work. Is there a KB article that you guy could point me to? Thanks Davinder _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA daily hangups and patch 818709 messages now blank
we applied this patch to two servers (ex 5.5 sp4, NT sp6a) and now one of them displays only blank emails. I see this in the event log: Application popup: OLEChannelWnd: inetinfo.exe - Entry Point Not Found : The procedure entry point wnsprintfW could not be located in the dynamic link library SHLWAPI.dll. I noticed shlwapi.dll was not the same on both servers so I copied the one from the working server across. Made no difference. Anyone else seen this? Harriet -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: 19 November 2003 23:29 To: Exchange Discussions Subject: RE: OWA daily hangups Any of your users using Outlook 2003? If so, there's a patch... http://support.microsoft.com/default.aspx?scid=kb;[LN];818709 I had this exact same problem and this fixed it. I haven't had to restart OWA since. Cheers, Tony -Original Message- From: Dolphin, Jeff [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 3:25 PM To: Exchange Discussions Subject: OWA daily hangups Weird problem...I'm running Exchange 5.5 sp4 on Win2k sp4 in a Win2k Ad domain. For about a month now when a user tries to log on to OWA they will experience a hangup in the service. Specifcally, the user can get to the 1st logon screen, enter their alias...and then enter their logon/password in the subsequent pop-up box but the actual screen to see their mail will not be displayed. It will just sit there on the first page and not go any further. No errors...No page cannot be displayed...nothing! I've seen the problem happen on xp,2k, even on the server itself. Giving IIS a restart solves the problem for a day or two and then it will happen again. I checked the event logs and don't see anything pertaining to IIS or Exchange except messages saying the service was stopped (of course it does since I'm the one who stops it!). Can anyone give me an idea on how to tackle this one? Or is this more of an IIS issue rather than an OWA issue...? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA daily hangups and patch 818709 messages now blank - Sort ed
Turned out to be a corrupt mlang.dll -Original Message- From: Wood, Harriet [CCS] [mailto:[EMAIL PROTECTED] Sent: 25 November 2003 08:42 To: Exchange Discussions Subject: RE: OWA daily hangups and patch 818709 messages now blank we applied this patch to two servers (ex 5.5 sp4, NT sp6a) and now one of them displays only blank emails. I see this in the event log: Application popup: OLEChannelWnd: inetinfo.exe - Entry Point Not Found : The procedure entry point wnsprintfW could not be located in the dynamic link library SHLWAPI.dll. I noticed shlwapi.dll was not the same on both servers so I copied the one from the working server across. Made no difference. Anyone else seen this? Harriet -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: 19 November 2003 23:29 To: Exchange Discussions Subject: RE: OWA daily hangups Any of your users using Outlook 2003? If so, there's a patch... http://support.microsoft.com/default.aspx?scid=kb;[LN];818709 I had this exact same problem and this fixed it. I haven't had to restart OWA since. Cheers, Tony -Original Message- From: Dolphin, Jeff [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 3:25 PM To: Exchange Discussions Subject: OWA daily hangups Weird problem...I'm running Exchange 5.5 sp4 on Win2k sp4 in a Win2k Ad domain. For about a month now when a user tries to log on to OWA they will experience a hangup in the service. Specifcally, the user can get to the 1st logon screen, enter their alias...and then enter their logon/password in the subsequent pop-up box but the actual screen to see their mail will not be displayed. It will just sit there on the first page and not go any further. No errors...No page cannot be displayed...nothing! I've seen the problem happen on xp,2k, even on the server itself. Giving IIS a restart solves the problem for a day or two and then it will happen again. I checked the event logs and don't see anything pertaining to IIS or Exchange except messages saying the service was stopped (of course it does since I'm the one who stops it!). Can anyone give me an idea on how to tackle this one? Or is this more of an IIS issue rather than an OWA issue...? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Design Question
If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: Exchange 2003 OWA segmentation feature Date: Mon, 11 Aug 2003 11:01:25 -1000 Hi everyone: I'm looking for some information on a feature in Exchange 2003 and I have used up all of my ideas on how to find out more info. It was called OWA segmentation in Exchange 2000 and was introduced in Exchange 2000 SP2. It allowed you to turn off public folders, the calendar, contacts, etc.. for certain users. This was either a registry key or an attribute you had to add to the W2K AD. However, it is included in E2K3's schema extensions. However, I cannot find ANY information on the actual values. It is essentially a bit mask, but I can't figure out what the bits mean. Below is the only text I have been able to find on it, and this was in the release notes. The schema attribute name is: msExchMailboxFolderSet I have a customer that is using this in E2K and we are building a 'proof-of-concept' lab for E2K3 and we cannot get this to work. It is driving me crazy and I'm almost thinking I need to open up a PSS incident just to get the documentation on this feature. I was hoping you might be able to find more documentation on this. Any ideas? Thanks, Jim McBee Per-user Feature Segmentation in Outlook Web Access May Require Modification of User Object to Use All Features Outlook Web Access allows you to enable specific sets
RE: OWA Design Question
It is my understanding that even if I publish OWA through ISA I still have to open 389, 88, and 53(if we don't use host files) to our network for authentication. So it seems that I will just save my self from opening ports for GC Queries and RPC Traffic. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bailey, Matthew Posted At: Tuesday, November 25, 2003 8:28 AM Posted To: Exchange Discussion Conversation: OWA Design Question Subject: RE: OWA Design Question If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: Exchange 2003 OWA segmentation feature Date: Mon, 11 Aug 2003 11:01:25 -1000 Hi everyone: I'm looking for some information on a feature in Exchange 2003 and I have used up all of my ideas on how to find out more info. It was called OWA segmentation in Exchange 2000 and was introduced in Exchange 2000 SP2. It allowed you to turn off public folders, the calendar, contacts, etc.. for certain users. This was either a registry key or an attribute you had to add to the W2K AD. However, it is included in E2K3's schema extensions. However, I cannot find ANY information on the actual values. It is essentially a bit mask, but I can't figure out what the bits mean. Below is the only text I have been able to find on it, and this was in the release notes. The schema attribute name is: msExchMailboxFolderSet I have a customer that is using this in E2K
RE: OWA Design Question
You can use ISA. It's not that hard to set up and works well. Added bonus for those with the need is the ability to add RSA authentication to the ISA server. Users must use a key fob to authenticate before they even get to the OWA boxes. You can also use another type of proxy server (Squid for instance) to proxy the connection from the DMZ. -Original Message- From: Bailey, Matthew [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:28 AM To: Exchange Discussions Subject: RE: OWA Design Question If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: Exchange 2003 OWA segmentation feature Date: Mon, 11 Aug 2003 11:01:25 -1000 Hi everyone: I'm looking for some information on a feature in Exchange 2003 and I have used up all of my ideas on how to find out more info. It was called OWA segmentation in Exchange 2000 and was introduced in Exchange 2000 SP2. It allowed you to turn off public folders, the calendar, contacts, etc.. for certain users. This was either a registry key or an attribute you had to add to the W2K AD. However, it is included in E2K3's schema extensions. However, I cannot find ANY information on the actual values. It is essentially a bit mask, but I can't figure out what the bits mean. Below is the only text I have been able to find on it, and this was in the release notes. The schema attribute name is: msExchMailboxFolderSet I have a customer
RE: OWA Design Question
I am currently running OWA published through ISA and I didn't need to open all the ports since the OWA server sits behind ISA in the corporate network. We have our ISA server sitting on the border of our corporate network externally facing the DMZ then have another brand of firewall sitting on the border between the DMZ and the Internet. On the ISA server, you only bind the Client for Microsoft Networks to the internal facing NIC. The firewall facing the Internet only has ports 80 and 443 open (working on getting everybody switched over to SSL only) for the IP of the OWA server. It was fairly easy to do but using SSL creates some challenges. This site has some good documentation on the process: http://www.ISAserver.org - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 7:34 AM To: Exchange Discussions Subject: RE: OWA Design Question It is my understanding that even if I publish OWA through ISA I still have to open 389, 88, and 53(if we don't use host files) to our network for authentication. So it seems that I will just save my self from opening ports for GC Queries and RPC Traffic. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bailey, Matthew Posted At: Tuesday, November 25, 2003 8:28 AM Posted To: Exchange Discussion Conversation: OWA Design Question Subject: RE: OWA Design Question If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL
RE: OWA Design Question
Only allow the front-end servers to talk to the domain controllers/GCs/DNS servers instead of just opening ports 389, 88, 53, etc from the entire DMZ to the internal network. Sincerely, Andrey Fyodorov, Exchange MVP Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:34 AM To: Exchange Discussions Subject: RE: OWA Design Question It is my understanding that even if I publish OWA through ISA I still have to open 389, 88, and 53(if we don't use host files) to our network for authentication. So it seems that I will just save my self from opening ports for GC Queries and RPC Traffic. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bailey, Matthew Posted At: Tuesday, November 25, 2003 8:28 AM Posted To: Exchange Discussion Conversation: OWA Design Question Subject: RE: OWA Design Question If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: Exchange 2003 OWA segmentation feature Date: Mon, 11 Aug 2003 11:01:25 -1000 Hi everyone: I'm looking for some information on a feature in Exchange 2003 and I have used up all of my ideas on how to find out more info. It was called OWA segmentation in Exchange 2000 and was introduced in Exchange 2000 SP2. It allowed you to turn off public folders, the calendar, contacts, etc.. for certain users. This was either a registry
RE: OWA Design Question
Do the users eventually get a case of keyphobia? :) -Original Message- From: Schwartz, Jim [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:36 AM To: Exchange Discussions Subject: RE: OWA Design Question You can use ISA. It's not that hard to set up and works well. Added bonus for those with the need is the ability to add RSA authentication to the ISA server. Users must use a key fob to authenticate before they even get to the OWA boxes. You can also use another type of proxy server (Squid for instance) to proxy the connection from the DMZ. -Original Message- From: Bailey, Matthew [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:28 AM To: Exchange Discussions Subject: RE: OWA Design Question If you publish OWA through ISA, all you need to open outbound to the internet is 80 and/or 443 for OWA to function. If you place a FE server in the DMZ you still have to open 80 and/or 443 outbound to the Internet and open 389, 3268, 88, 53, 135, 1024+ back to your BE Exchange servers. At least that is the way I understand it. - Matt -Original Message- From: Clemens, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 4:50 PM To: Exchange Discussions Subject: OWA Design Question Exchange 2000 SP3 Windows 2000 SP4 I am sitting here reading the PDF Using Microsoft Exchange 2000 Front-End Servers trying to get a feel for how I should set up OWA access from the internet for my company. Currently we have an Exchange 5.5 OWA server in a DMZ with port 443 open from the internet or external side and on the internal side open to the DC's and Exchange ServersI know, I know not very secure.The document gives me several scenarios but the ones I am interested in are Front-End Server in a Perimeter Network and Advance Firewall in a Perimeter Network. With the Front-End scenario I have to open 389, 3268, 88, 53, 135, 1024+ or statically map the RPC service Port. This seems easy enough to do but it sucks having to swiss cheese the firewall. Of course Microsoft recommends the Advance Firewall Scenario (ISA Server) My question is has anyone setup ISA in a DMZ? Is it better? What are the benefits? I still have to have ports 389, 88, 53, and 443 open for authentication and such so what do I gain except for not having to open up RPC ports? I am looking at this from the perspective of talking management into spending the $3000 on the software.belts are tight so there really has to be a good reason. And we already have a proxy server and management doesn't want to replace it so this would be specific to making OWA access more secure. Any help would be greatly appreciated. Rick sends -Original Message- From: Petschow, Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:55 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Here is a link that will take you to the values for Exchange 2003 OWA segmentation. http://www.swinc.com/resource/exchange2003/appendixc.asp Jeff -Original Message- From: McBee, Jim [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:18 PM To: Exchange Discussions Subject: RE: Exchange 2003 OWA segmentation feature Hee hee hee I think I have that book somewhere... Actually, the settings have changed between E2K and E2K3. I think there are a few more things you can turn on/off in E2K3. Unfortunately, no one seems to know what the settings are. Thanks, Jim -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Posted At: Monday, August 11, 2003 11:34 AM Posted To: Exchange Technical Mailing List Conversation: Exchange 2003 OWA segmentation feature Subject: Re: Exchange 2003 OWA segmentation feature Yes it's a registry key that is set. When set affects all users of that domain however you can also set for an individual that will overide the system setting. 1024 is for all folders to show up. I have the settings at work but are also available on MS's site via http://support.microsoft.com/default.aspx?scid=kb;en-us;311154 If you need the exact settings they are in the book Exchange 24/7 by Jm McBee From: McBee, Jim [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: Exchange 2003 OWA segmentation feature Date: Mon, 11 Aug 2003 11:01:25 -1000 Hi everyone: I'm looking for some information on a feature in Exchange 2003 and I have used up all of my ideas on how to find out more info. It was called OWA segmentation in Exchange 2000 and was introduced in Exchange 2000 SP2. It allowed you to turn off public folders, the calendar, contacts, etc.. for certain users. This was either a registry key or an attribute you had to add to the W2K AD. However, it is included in E2K3's schema extensions. However, I cannot find ANY information on the actual values. It is essentially a bit mask
RE: OWA daily hangups
Any of your users using Outlook 2003? If so, there's a patch... http://support.microsoft.com/default.aspx?scid=kb;[LN];818709 I had this exact same problem and this fixed it. I haven't had to restart OWA since. Cheers, Tony -Original Message- From: Dolphin, Jeff [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 3:25 PM To: Exchange Discussions Subject: OWA daily hangups Weird problem...I'm running Exchange 5.5 sp4 on Win2k sp4 in a Win2k Ad domain. For about a month now when a user tries to log on to OWA they will experience a hangup in the service. Specifcally, the user can get to the 1st logon screen, enter their alias...and then enter their logon/password in the subsequent pop-up box but the actual screen to see their mail will not be displayed. It will just sit there on the first page and not go any further. No errors...No page cannot be displayed...nothing! I've seen the problem happen on xp,2k, even on the server itself. Giving IIS a restart solves the problem for a day or two and then it will happen again. I checked the event logs and don't see anything pertaining to IIS or Exchange except messages saying the service was stopped (of course it does since I'm the one who stops it!). Can anyone give me an idea on how to tackle this one? Or is this more of an IIS issue rather than an OWA issue...? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA daily hangups
Woo HOOO!!! Thanks man! I have a CEO and a Chief Med. Officer who think its cool to go and buy the latest MS stuff regardless what I say about standards and uniformity...I'm gonna be glad to drop this on his desk! Right before I hit him up for an upgrade to Exchange! -Original Message- From: Woods, Tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 3:29 PM To: Exchange Discussions Subject: RE: OWA daily hangups Any of your users using Outlook 2003? If so, there's a patch... http://support.microsoft.com/default.aspx?scid=kb;[LN];818709 I had this exact same problem and this fixed it. I haven't had to restart OWA since. Cheers, Tony -Original Message- From: Dolphin, Jeff [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 3:25 PM To: Exchange Discussions Subject: OWA daily hangups Weird problem...I'm running Exchange 5.5 sp4 on Win2k sp4 in a Win2k Ad domain. For about a month now when a user tries to log on to OWA they will experience a hangup in the service. Specifcally, the user can get to the 1st logon screen, enter their alias...and then enter their logon/password in the subsequent pop-up box but the actual screen to see their mail will not be displayed. It will just sit there on the first page and not go any further. No errors...No page cannot be displayed...nothing! I've seen the problem happen on xp,2k, even on the server itself. Giving IIS a restart solves the problem for a day or two and then it will happen again. I checked the event logs and don't see anything pertaining to IIS or Exchange except messages saying the service was stopped (of course it does since I'm the one who stops it!). Can anyone give me an idea on how to tackle this one? Or is this more of an IIS issue rather than an OWA issue...? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: OWA Front/back end in Cluster
If I'd asked, he probably would have answered why cluster etc? (I have seen his responses to other folks wanting to cluster), Which frankly I do not think it is any ones business why we want to cluster. I asked a question if he does not have an intelligent answer he should not reply no matter if you think he is one of the biggest folks or not. - Original Message - From: [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 1:44 PM Subject: RE: OWA Front/back end in Cluster Ed C. is one of the brightest folks we have here. He may have 'alternative' answers and very 'direct' answers, but they will never be 'unintelligent.' You'd do well to ask him to explain what he meant, you might learn something. Good luck. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Sent: Wednesday, November 12, 2003 1:20 PM To: Exchange Discussions Subject: Re: OWA Front/back end in Cluster I am trying to be very professional on this discussion group and ask a question that I have a problem with and if no one has an answer or wishes not to comment on it that is fine. However if your brain is clogged or you are having a bad day and can not give any constructive comments (because you have no idea how an E2K3 cluster works) then keep your unintelligent remarks to yourself. - Original Message - From: Ed Crowley [MVP] [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Monday, November 10, 2003 7:55 PM Subject: RE: OWA Front/back end in Cluster While you're doing all that, you might as well enable brick backups, have all your users download all their mail to their PSTs using POP, collect your mail from your ISP using a POP remailer, and have your file-based virus scanner scan the M: drive. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Sent: Monday, November 10, 2003 10:20 AM To: Exchange Discussions Subject: OWA Front/back end in Cluster I have setup an Active/passive cluster with a front end/backend config behind a firewall. Firewall has been configured to pass HTTP to the front end server. If on a computer outside the firewall I type the URL of the OWA, I get the Windows authentication screen but having entered the username and password the URL changes to the inside FQN of the EVS and I get a blank white screen. However if I do the same thing from a computer from within the firewall I still get the FQN of EVS in the URL address but I also get the OWA! What have I not done or done that it is causing this? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Front/back end in Cluster
Well, I said 'brightest,' I'll leave size up to you and him... ;-} Up to everyone to take their advice from where it suits them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Sent: Thursday, November 13, 2003 2:21 PM To: Exchange Discussions Subject: Re: OWA Front/back end in Cluster If I'd asked, he probably would have answered why cluster etc? (I have seen his responses to other folks wanting to cluster), Which frankly I do not think it is any ones business why we want to cluster. I asked a question if he does not have an intelligent answer he should not reply no matter if you think he is one of the biggest folks or not. - Original Message - From: [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 1:44 PM Subject: RE: OWA Front/back end in Cluster Ed C. is one of the brightest folks we have here. He may have 'alternative' answers and very 'direct' answers, but they will never be 'unintelligent.' You'd do well to ask him to explain what he meant, you might learn something. Good luck. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Sent: Wednesday, November 12, 2003 1:20 PM To: Exchange Discussions Subject: Re: OWA Front/back end in Cluster I am trying to be very professional on this discussion group and ask a question that I have a problem with and if no one has an answer or wishes not to comment on it that is fine. However if your brain is clogged or you are having a bad day and can not give any constructive comments (because you have no idea how an E2K3 cluster works) then keep your unintelligent remarks to yourself. - Original Message - From: Ed Crowley [MVP] [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Monday, November 10, 2003 7:55 PM Subject: RE: OWA Front/back end in Cluster While you're doing all that, you might as well enable brick backups, have all your users download all their mail to their PSTs using POP, collect your mail from your ISP using a POP remailer, and have your file-based virus scanner scan the M: drive. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Sent: Monday, November 10, 2003 10:20 AM To: Exchange Discussions Subject: OWA Front/back end in Cluster I have setup an Active/passive cluster with a front end/backend config behind a firewall. Firewall has been configured to pass HTTP to the front end server. If on a computer outside the firewall I type the URL of the OWA, I get the Windows authentication screen but having entered the username and password the URL changes to the inside FQN of the EVS and I get a blank white screen. However if I do the same thing from a computer from within the firewall I still get the FQN of EVS in the URL address but I also get the OWA! What have I not done or done that it is causing this? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe
Re: OWA Front/back end in Cluster
I am trying to be very professional on this discussion group and ask a question that I have a problem with and if no one has an answer or wishes not to comment on it that is fine. However if your brain is clogged or you are having a bad day and can not give any constructive comments (because you have no idea how an E2K3 cluster works) then keep your unintelligent remarks to yourself. - Original Message - From: Ed Crowley [MVP] [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Monday, November 10, 2003 7:55 PM Subject: RE: OWA Front/back end in Cluster While you're doing all that, you might as well enable brick backups, have all your users download all their mail to their PSTs using POP, collect your mail from your ISP using a POP remailer, and have your file-based virus scanner scan the M: drive. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Sent: Monday, November 10, 2003 10:20 AM To: Exchange Discussions Subject: OWA Front/back end in Cluster I have setup an Active/passive cluster with a front end/backend config behind a firewall. Firewall has been configured to pass HTTP to the front end server. If on a computer outside the firewall I type the URL of the OWA, I get the Windows authentication screen but having entered the username and password the URL changes to the inside FQN of the EVS and I get a blank white screen. However if I do the same thing from a computer from within the firewall I still get the FQN of EVS in the URL address but I also get the OWA! What have I not done or done that it is causing this? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: OWA Front/back end in Cluster
I had done your suggestions actually before sending the email by both entering the domain name and removing it for both cases of Integrated and/or basic authentication. Thanks - Original Message - From: Brian Davies [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Tuesday, November 11, 2003 1:57 AM Subject: RE: OWA Front/back end in Cluster I think Ed must have had a bad day!! Try looking at the IIS authentication settings of your back-end servers (possibly front-end as well) and set the authentication to disable anonymous and enable Integrated Windows and/or Basic (and set the domain). Regards Brian Brian Davies - Network Operations Manager University of East London E-mail: [EMAIL PROTECTED] Tel: 0208 223 2091 Mobile: 07711 198349 -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: 11 November 2003 03:56 To: Exchange Discussions Subject: RE: OWA Front/back end in Cluster While you're doing all that, you might as well enable brick backups, have all your users download all their mail to their PSTs using POP, collect your mail from your ISP using a POP remailer, and have your file-based virus scanner scan the M: drive. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Sent: Monday, November 10, 2003 10:20 AM To: Exchange Discussions Subject: OWA Front/back end in Cluster I have setup an Active/passive cluster with a front end/backend config behind a firewall. Firewall has been configured to pass HTTP to the front end server. If on a computer outside the firewall I type the URL of the OWA, I get the Windows authentication screen but having entered the username and password the URL changes to the inside FQN of the EVS and I get a blank white screen. However if I do the same thing from a computer from within the firewall I still get the FQN of EVS in the URL address but I also get the OWA! What have I not done or done that it is causing this? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang= english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Front/back end in Cluster
Ed C. is one of the brightest folks we have here. He may have 'alternative' answers and very 'direct' answers, but they will never be 'unintelligent.' You'd do well to ask him to explain what he meant, you might learn something. Good luck. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Sent: Wednesday, November 12, 2003 1:20 PM To: Exchange Discussions Subject: Re: OWA Front/back end in Cluster I am trying to be very professional on this discussion group and ask a question that I have a problem with and if no one has an answer or wishes not to comment on it that is fine. However if your brain is clogged or you are having a bad day and can not give any constructive comments (because you have no idea how an E2K3 cluster works) then keep your unintelligent remarks to yourself. - Original Message - From: Ed Crowley [MVP] [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Monday, November 10, 2003 7:55 PM Subject: RE: OWA Front/back end in Cluster While you're doing all that, you might as well enable brick backups, have all your users download all their mail to their PSTs using POP, collect your mail from your ISP using a POP remailer, and have your file-based virus scanner scan the M: drive. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Sent: Monday, November 10, 2003 10:20 AM To: Exchange Discussions Subject: OWA Front/back end in Cluster I have setup an Active/passive cluster with a front end/backend config behind a firewall. Firewall has been configured to pass HTTP to the front end server. If on a computer outside the firewall I type the URL of the OWA, I get the Windows authentication screen but having entered the username and password the URL changes to the inside FQN of the EVS and I get a blank white screen. However if I do the same thing from a computer from within the firewall I still get the FQN of EVS in the URL address but I also get the OWA! What have I not done or done that it is causing this? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Front/back end in Cluster
I think Ed must have had a bad day!! Try looking at the IIS authentication settings of your back-end servers (possibly front-end as well) and set the authentication to disable anonymous and enable Integrated Windows and/or Basic (and set the domain). Regards Brian Brian Davies - Network Operations Manager University of East London E-mail: [EMAIL PROTECTED] Tel: 0208 223 2091 Mobile: 07711 198349 -Original Message- From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] Sent: 11 November 2003 03:56 To: Exchange Discussions Subject: RE: OWA Front/back end in Cluster While you're doing all that, you might as well enable brick backups, have all your users download all their mail to their PSTs using POP, collect your mail from your ISP using a POP remailer, and have your file-based virus scanner scan the M: drive. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Sent: Monday, November 10, 2003 10:20 AM To: Exchange Discussions Subject: OWA Front/back end in Cluster I have setup an Active/passive cluster with a front end/backend config behind a firewall. Firewall has been configured to pass HTTP to the front end server. If on a computer outside the firewall I type the URL of the OWA, I get the Windows authentication screen but having entered the username and password the URL changes to the inside FQN of the EVS and I get a blank white screen. However if I do the same thing from a computer from within the firewall I still get the FQN of EVS in the URL address but I also get the OWA! What have I not done or done that it is causing this? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang= english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Front/back end in Cluster
While you're doing all that, you might as well enable brick backups, have all your users download all their mail to their PSTs using POP, collect your mail from your ISP using a POP remailer, and have your file-based virus scanner scan the M: drive. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M2web Sent: Monday, November 10, 2003 10:20 AM To: Exchange Discussions Subject: OWA Front/back end in Cluster I have setup an Active/passive cluster with a front end/backend config behind a firewall. Firewall has been configured to pass HTTP to the front end server. If on a computer outside the firewall I type the URL of the OWA, I get the Windows authentication screen but having entered the username and password the URL changes to the inside FQN of the EVS and I get a blank white screen. However if I do the same thing from a computer from within the firewall I still get the FQN of EVS in the URL address but I also get the OWA! What have I not done or done that it is causing this? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA on Windows 2003 Web Edition?
No. I've covered some of the basic rules here: http://hellomate.typepad.com/exchange/2003/07/upgrading_to_ex.html Neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan Finnesey Posted At: 03 November 2003 03:18 Posted To: Swynk Exchange (30 days) Conversation: OWA on Windows 2003 Web Edition? Subject: OWA on Windows 2003 Web Edition? Can I install Exchange 2003 OWA on Windows 2003 Web Edition? Ryan _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands. If you have received this email in error, please contact our Support Desk immediately on 01202 360360 or email [EMAIL PROTECTED] http://www.silversands.co.uk _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA versus NTFS permissions
Log on Locally is no longer required for OWA. This change came with E2k. As for your problem, see this: http://support.microsoft.com/?id=327843 Neil -Original Message- From: Microsoft Exchange List Server [mailto:[EMAIL PROTECTED] Posted At: 24 October 2003 23:47 Posted To: Swynk Exchange (30 days) Conversation: OWA versus NTFS permissions Subject: RE: OWA versus NTFS permissions yes logon locally in place in the w2k member server were owa resides. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Posted At: Friday, October 24, 2003 3:26 PM Posted To: Microsoft Exchange List Server Conversation: OWA versus NTFS permissions Subject: RE: OWA versus NTFS permissions Permission granted for users to log on locally? See the archives for extensive discussion... David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Microsoft Exchange List Server Sent: Friday, October 24, 2003 3:16 PM To: Exchange Discussions Subject: OWA versus NTFS permissions Hi all W2K-AD nativemode (1 forest, 1 tree, 1 domain) MSX2000+SP3 (mixedmode) running in a W2K+SP4 member server. The only account able to use OWa is the exchangeadmin account, all other users got Error: Access is Denied after 3 tries. I have followed the Microst Article Q317471 and still does not work. Any suggestions? thx _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands. If you have received this email in error, please contact our Support Desk immediately on 01202 360360 or email [EMAIL PROTECTED] http://www.silversands.co.uk _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA versus NTFS permissions
Permission granted for users to log on locally? See the archives for extensive discussion... David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Microsoft Exchange List Server Sent: Friday, October 24, 2003 3:16 PM To: Exchange Discussions Subject: OWA versus NTFS permissions Hi all W2K-AD nativemode (1 forest, 1 tree, 1 domain) MSX2000+SP3 (mixedmode) running in a W2K+SP4 member server. The only account able to use OWa is the exchangeadmin account, all other users got Error: Access is Denied after 3 tries. I have followed the Microst Article Q317471 and still does not work. Any suggestions? thx _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA versus NTFS permissions
yes logon locally in place in the w2k member server were owa resides. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Posted At: Friday, October 24, 2003 3:26 PM Posted To: Microsoft Exchange List Server Conversation: OWA versus NTFS permissions Subject: RE: OWA versus NTFS permissions Permission granted for users to log on locally? See the archives for extensive discussion... David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Microsoft Exchange List Server Sent: Friday, October 24, 2003 3:16 PM To: Exchange Discussions Subject: OWA versus NTFS permissions Hi all W2K-AD nativemode (1 forest, 1 tree, 1 domain) MSX2000+SP3 (mixedmode) running in a W2K+SP4 member server. The only account able to use OWa is the exchangeadmin account, all other users got Error: Access is Denied after 3 tries. I have followed the Microst Article Q317471 and still does not work. Any suggestions? thx _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA display blank body after applying MS03-046 and MS03-047
Have you read this part of the MS-047 bulletin yet? You may get a blank message body when opening a message in OWA after the patch is installed if you have your Windows directory on the OWA Server set to read only permissions. To solve this problem, please reference the following Knowledge Base Article: http://support.microsoft.com/default.aspx?scid=KB;EN-US;314532; -Original Message- From: Tariq Hamirani [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 12:25 PM To: Exchange Discussions Subject: OWA display blank body after applying MS03-046 and MS03-047 I have Exchange 5.5 with SP4 on NT4 with SP6a Intel Over the weekend I applied MS03-046 and MS03-047. Now OWA does not display text in the message body. I also suspect some user's may have been using Outlook 2003 to cause this. The question is should I apply Exchange5.5-KB818709-x86-enu.EXE to resolve this problem. Thanks Tariq Hamirani _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA display blank body after applying MS03-046 and MS03-047
Were you running at least IE 5.5 SP2 on the OWA server, BEFORE installing MS-047? If not, then I would bet your problem is described in the second issue of the Q314532 link below. -Original Message- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 2:25 PM To: Exchange Discussions Subject: RE: OWA display blank body after applying MS03-046 and MS03-047 Have you read this part of the MS-047 bulletin yet? You may get a blank message body when opening a message in OWA after the patch is installed if you have your Windows directory on the OWA Server set to read only permissions. To solve this problem, please reference the following Knowledge Base Article: http://support.microsoft.com/default.aspx?scid=KB;EN-US;314532; -Original Message- From: Tariq Hamirani [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 12:25 PM To: Exchange Discussions Subject: OWA display blank body after applying MS03-046 and MS03-047 I have Exchange 5.5 with SP4 on NT4 with SP6a Intel Over the weekend I applied MS03-046 and MS03-047. Now OWA does not display text in the message body. I also suspect some user's may have been using Outlook 2003 to cause this. The question is should I apply Exchange5.5-KB818709-x86-enu.EXE to resolve this problem. Thanks Tariq Hamirani _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and URLScan-Blocked Special Characters
Thanks for the input on this. While both my post here and on the MS newsgroups failed to elicit detailed specifics as to what exploits were being prevented by blocking these particular characters, these responses were useful and definitely preferable to what I received yesterday from MS PSS. Their answer was 'We know, but for security reasons we cannot tell you.' ( A snide aside: Thanks, MS. That took five phone calls, five emails, and you still have not agreed to non-decrement the case.) On a much more positive front, I received an excellent response from Rand Morimoto ([EMAIL PROTECTED]), author of the book Exchange 2003 Unleashed. My query to Rand was to help explain the two most problematic character blocks (from a customer irritation point a view) - the '..' and the ''. Rand's response was as follows: The '..' in a URL allows for traversal of the directory tree. This means that when I get access to one location on an Exchange server, I can send a .. command and walk up the directory tree. This can actually be minimized by having tight security rights, so I really don't see a problem with that issue. The '' is more of a problem because that allows you to string together multiple commands. So you can tell an IIS server to open an email and to launch an executable at the same time. However this too can be minimized as a risk by hardening the server so that someone cannot hack the server to then launch an executable (i.e. I send an email to someone with an attachment, I somehow know that persons logon/password, I then open and launch the executable that brings the whole network down). This presumes that you allow executables into your network AND it presumes that someone has their user account compromised. But it's possible. So by themselves, the ability to bypass URLScan for these commands, while it does weaken security, requires a couple other compromises to take place in your environment. Another option is go to IIS6 / Exchange 2003 OWA. IIS6 has functionality that allows you to run and access messages that may otherwise be URLScan compromising, however Exchange 2003 / IIS6 have better protections to allow access without restricting accessibility while minimizing security risks. The bottom line in our environment is that we will open the '..' and '' for OWA, and let other security measures handle the potential risks. Jon -Original Message- From: Martin, Jon Sent: Thursday, October 16, 2003 5:20 PM Posted To: exchange - new Conversation: OWA and URLScan-Blocked Special Characters Subject:OWA and URLScan-Blocked Special Characters OK, we all know that when you run Urlscan on an Exchange server that you will not be able to view certain notes in OWA, specifically those notes with special characters in the subject line. The special characters are below, along with the reason, according to MS documentation, that these should be blocked. .. Allows directory traversals ./ Allows trailing dot on a directory name \ Allows backslashes in URL % Allows escaping after normalization Allows multiple CGI processes to run on a single request My management wants these characters unblocked. To prevent this I need a better understanding of what potential problems are being prevented by the disabling of these characters. The above explanation in the MS documentation is probably not going to be sufficient. Does anyone have a more detailed explanation of the possible exploits being blocked by disabling these characters?? Thanks. Jon Martin _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA display blank body after applying MS03-046 and MS03-047
James, Thats it. I don't recall reading this on the earlier security posts on MS site. I am still running IE4 on the EX55 box. Will install IE6. Thank you _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and URLScan-Blocked Special Characters
IMHO, running URLSCAN on an E2K OWA server is a losing proposition. You have to open so much up that URLSCAN basically isn't doing anything. I just talked to a MS guy (he did PSS support for IIS) at a security class. He seemed pretty adamant that there was a way to use URLSCAN with 100% non-interference with OWA. He's supposed to be sending docs. I'll post whatever he sends. For my money, run IIS lockdown (follow the OWA server template), but turn off URLSCAN. Also, most importantly: KEEP THE SERVER PATCHED -Original Message- From: Martin, Jon [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 7:20 PM To: Exchange Discussions Subject: OWA and URLScan-Blocked Special Characters OK, we all know that when you run Urlscan on an Exchange server that you will not be able to view certain notes in OWA, specifically those notes with special characters in the subject line. The special characters are below, along with the reason, according to MS documentation, that these should be blocked. .. Allows directory traversals ./ Allows trailing dot on a directory name \ Allows backslashes in URL % Allows escaping after normalization Allows multiple CGI processes to run on a single request My management wants these characters unblocked. To prevent this I need a better understanding of what potential problems are being prevented by the disabling of these characters. The above explanation in the MS documentation is probably not going to be sufficient. Does anyone have a more detailed explanation of the possible exploits being blocked by disabling these characters?? Thanks. Jon Martin _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and URLScan-Blocked Special Characters
I guess there is a danger that someone could execute commands on your server by
passing smartly formatted URLs?
-Original Message-
From: Martin, Jon [mailto:[EMAIL PROTECTED]
Sent: Thu 10/16/2003 8:19 PM
To: Exchange Discussions
Cc:
Subject: OWA and URLScan-Blocked Special Characters
OK, we all know that when you run Urlscan on an Exchange server that you will not be
able to view certain notes in OWA, specifically those notes with special characters in
the subject line. The special characters are below, along with the reason, according
to MS documentation, that these should be blocked.
.. Allows directory traversals
./ Allows trailing dot on a directory name
\ Allows backslashes in URL
% Allows escaping after normalization
Allows multiple CGI processes to run on a single request
My management wants these characters unblocked. To prevent this I need a better
understanding of what potential problems are being prevented by the disabling of these
characters. The above explanation in the MS documentation is probably not going to be
sufficient.
Does anyone have a more detailed explanation of the possible exploits being blocked by
disabling these characters??
Thanks.
Jon Martin
_
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
â²Úh²PÛiÿü0ÂÌÇ(ú«qïÞÅÈ_j¨mg{^özm§ÿâÊZ®Ib²×(÷
¸§þ\«Êez{^ì\
©àz¶j
zV§éà+!N§²æìr¸zf¢Ú%y«Þ{!jx
Ë0Êy
¢a1r§ââ²)åËZvh§³
§Ê
RE: OWA Error - Client seeing The Page cannot be displayed
You open ports 135, 137, 138, and all = 1024 and it will work. Unless it's a Win2k AD infrastructure, then you've only got a dozen or so that have to be opened. Windows Authentication through a firewall is a lose/lose situation - don't do it. A far better scheme is to use ISA server (or some other proxy server) to do a reverse proxy of the OWA server. In this config, the OWA box is in the internal network, and the proxy is in the DMZ. We do this using the open source Squid proxy on an OpenBSD platform without any issues. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Shawn Connelly [mailto:[EMAIL PROTECTED] Sent: Monday, October 13, 2003 9:05 PM To: Exchange Discussions Subject: RE: OWA Error - Client seeing The Page cannot be displayed Subject: RE: OWA Error - Client seeing The Page cannot be displayed From: Andy David [EMAIL PROTECTED] Date: Sat, 11 Oct 2003 19:00:20 -0400 Start simple: Does this user have local logon rights to the OWA server?=20 No... BUT then I added some clients manually into the local users group...even granted admin. privs just for testing but even that didn't work. Everything was fine before the OWA was placed into a DMZ. Now the server cannot authenticate to the Domain so it cannot find the clients privs.. This server is also acting as a smart host/spam filter scanning both inbound/outbound mail and all of that is working fine. It turns out that most of the company cannot get their mail through OWA any longer. How the heck do I authenticate through the DMZ to the BDC? What now? Shawn _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchanget ext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Error - Client seeing The Page cannot be displayed
Did you make sure to keep the necessary ports open so that the front-end in the DMZ could talk to the domain controllers (which I assume are behind your firewall?) Sincerely, Andrey Fyodorov Systems Engineer Messaging and Collaboration Spherion -Original Message- From: Shawn Connelly [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 12:05 AM To: Exchange Discussions Subject: RE: OWA Error - Client seeing The Page cannot be displayed Subject: RE: OWA Error - Client seeing The Page cannot be displayed From: Andy David [EMAIL PROTECTED] Date: Sat, 11 Oct 2003 19:00:20 -0400 Start simple: Does this user have local logon rights to the OWA server?=20 No... BUT then I added some clients manually into the local users group...even granted admin. privs just for testing but even that didn't work. Everything was fine before the OWA was placed into a DMZ. Now the server cannot authenticate to the Domain so it cannot find the clients privs.. This server is also acting as a smart host/spam filter scanning both inbound/outbound mail and all of that is working fine. It turns out that most of the company cannot get their mail through OWA any longer. How the heck do I authenticate through the DMZ to the BDC? What now? Shawn _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Error - Client seeing The Page cannot be displayed
Subject: RE: OWA Error - Client seeing The Page cannot be displayed From: Andy David [EMAIL PROTECTED] Date: Sat, 11 Oct 2003 19:00:20 -0400 Start simple: Does this user have local logon rights to the OWA server?=20 No... BUT then I added some clients manually into the local users group...even granted admin. privs just for testing but even that didn't work. Everything was fine before the OWA was placed into a DMZ. Now the server cannot authenticate to the Domain so it cannot find the clients privs.. This server is also acting as a smart host/spam filter scanning both inbound/outbound mail and all of that is working fine. It turns out that most of the company cannot get their mail through OWA any longer. How the heck do I authenticate through the DMZ to the BDC? What now? Shawn _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Error - Client seeing The Page cannot be displayed
Start simple: Does this user have local logon rights to the OWA server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Connelly Sent: Saturday, October 11, 2003 6:42 PM To: Exchange Discussions Subject: OWA Error - Client seeing The Page cannot be displayed OWA suddenly (for an unknown reason) stopped working for one client. After client enters mailbox name/user name and pass the next screen displayed is: The Page cannot be displayed HTTP 500 Internal Server Error If I turn off Show friendly HTTP error messages IE 6, the message then becomes: There are currently no logon servers available to service the logon request. Other details: - the client only began having problems this week and claims to have not modified his password; - the client can log into his email via Outlook in the office; - I can log into this mailbox without difficulty using an admins. credentials; - It is the same problem on any computer so the problem is not specific to one computer. As I mentioned, this just started happening and it's only this account (that I know of). The only thing that changed recently was that I placed OWA (separate from Exchange Server 5.5) into a DMZ. But that change didn't seem to affect anyone else. Does anyone know why this happened and how to fix this? Thank you, Shawn P.S. I just found that I cannot send a message to this list using OWA. Anyway to configure outbound msgs in OWA to send as text only? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Error - Client seeing The Page cannot be displayed
can the client then put in \exchange\username and see their mail? check that your orgs primary email address is in his list of smtp addresses ... mike OWA suddenly (for an unknown reason) stopped working for one client. After client enters mailbox name/user name and pass the next screen displayed is: The Page cannot be displayed HTTP 500 Internal Server Error If I turn off Show friendly HTTP error messages IE 6, the message then becomes: There are currently no logon servers available to service the logon request. Other details: - the client only began having problems this week and claims to have not modified his password; - the client can log into his email via Outlook in the office; - I can log into this mailbox without difficulty using an admins. credentials; - It is the same problem on any computer so the problem is not specific to one computer. As I mentioned, this just started happening and it's only this account (that I know of). The only thing that changed recently was that I placed OWA (separate from Exchange Server 5.5) into a DMZ. But that change didn't seem to affect anyone else. Does anyone know why this happened and how to fix this? Thank you, Shawn P.S. I just found that I cannot send a message to this list using OWA. Anyway to configure outbound msgs in OWA to send as text only? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - NLB
Only supported on Win2k advanced server: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/windows2000serv/Default.asp It's listed under Increased Scalability -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 11:33 AM To: Exchange Discussions Subject: OWA - NLB Ive got my OWA-55 on a W2k svr...Id like to bring up second and do NLB between the two svr's... But from what Ive found so far I can only do NLB with W2K Adv svr...Is there a way to load NLB to W2K svr standard? thanks bill _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - NLB
You could do it if you use Cisco and or Alteon Load balancing switches to do Harware balanacing but costs may be the same as upgrading to enterprise version of Exchange. Soemthing to consider. From: Bolser, Scott [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: RE: OWA - NLB Date: Mon, 29 Sep 2003 13:07:08 -0400 Only supported on Win2k advanced server: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/windows2000serv/Default.asp It's listed under Increased Scalability -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 11:33 AM To: Exchange Discussions Subject: OWA - NLB Ive got my OWA-55 on a W2k svr...Id like to bring up second and do NLB between the two svr's... But from what Ive found so far I can only do NLB with W2K Adv svr...Is there a way to load NLB to W2K svr standard? thanks bill _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Frustrated with dial-up? Get high-speed for as low as $29.95/month (depending on the local service providers in your area). https://broadband.msn.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - NLB
Thanks..actually I am about to replace my main switches... Might you have an Idea which cisco units could do this PS to All...Actually you can add NLB to W2K stantard..BUT you must purchase Application Center 2000..which has NLB as one of it's components..and well then you have to purchase sometype of license cause you are now auth to 1 but hitting many. the cost of all this work out to be cheaper to purchase Adv Svr... thanks bill -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 1:19 PM To: Exchange Discussions Subject: RE: OWA - NLB You could do it if you use Cisco and or Alteon Load balancing switches to do Harware balanacing but costs may be the same as upgrading to enterprise version of Exchange. Soemthing to consider. From: Bolser, Scott [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: RE: OWA - NLB Date: Mon, 29 Sep 2003 13:07:08 -0400 Only supported on Win2k advanced server: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/windows2000serv/Default.asp It's listed under Increased Scalability -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 11:33 AM To: Exchange Discussions Subject: OWA - NLB Ive got my OWA-55 on a W2k svr...Id like to bring up second and do NLB between the two svr's... But from what Ive found so far I can only do NLB with W2K Adv svr...Is there a way to load NLB to W2K svr standard? thanks bill _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Frustrated with dial-up? Get high-speed for as low as $29.95/month (depending on the local service providers in your area). https://broadband.msn.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - NLB
You would have to contact the vendor and explain what your trying to accomplish and get the latest info. Hardware -vs- Network load balancing both have their place. From: Mellott, Bill [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: RE: OWA - NLB Date: Mon, 29 Sep 2003 13:24:45 -0400 Thanks..actually I am about to replace my main switches... Might you have an Idea which cisco units could do this PS to All...Actually you can add NLB to W2K stantard..BUT you must purchase Application Center 2000..which has NLB as one of it's components..and well then you have to purchase sometype of license cause you are now auth to 1 but hitting many. the cost of all this work out to be cheaper to purchase Adv Svr... thanks bill -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 1:19 PM To: Exchange Discussions Subject: RE: OWA - NLB You could do it if you use Cisco and or Alteon Load balancing switches to do Harware balanacing but costs may be the same as upgrading to enterprise version of Exchange. Soemthing to consider. From: Bolser, Scott [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: RE: OWA - NLB Date: Mon, 29 Sep 2003 13:07:08 -0400 Only supported on Win2k advanced server: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/windows2000serv/Default.asp It's listed under Increased Scalability -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 11:33 AM To: Exchange Discussions Subject: OWA - NLB Ive got my OWA-55 on a W2k svr...Id like to bring up second and do NLB between the two svr's... But from what Ive found so far I can only do NLB with W2K Adv svr...Is there a way to load NLB to W2K svr standard? thanks bill _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Frustrated with dial-up? Get high-speed for as low as $29.95/month (depending on the local service providers in your area). https://broadband.msn.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Frustrated with dial-up? Get high-speed for as low as $29.95/month (depending on the local service providers in your area). https://broadband.msn.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - NLB
This isn't a standard Cisco switch thing. You would need a Cisco load balancer. Though I would probably look at F5 first. BTW, these kinds of things are $$$ -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 10:25 AM To: Exchange Discussions Subject: RE: OWA - NLB Thanks..actually I am about to replace my main switches... Might you have an Idea which cisco units could do this PS to All...Actually you can add NLB to W2K stantard..BUT you must purchase Application Center 2000..which has NLB as one of it's components..and well then you have to purchase sometype of license cause you are now auth to 1 but hitting many. the cost of all this work out to be cheaper to purchase Adv Svr... thanks bill -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 1:19 PM To: Exchange Discussions Subject: RE: OWA - NLB You could do it if you use Cisco and or Alteon Load balancing switches to do Harware balanacing but costs may be the same as upgrading to enterprise version of Exchange. Soemthing to consider. From: Bolser, Scott [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: RE: OWA - NLB Date: Mon, 29 Sep 2003 13:07:08 -0400 Only supported on Win2k advanced server: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/windows2000serv/Default.asp It's listed under Increased Scalability -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 11:33 AM To: Exchange Discussions Subject: OWA - NLB Ive got my OWA-55 on a W2k svr...Id like to bring up second and do NLB between the two svr's... But from what Ive found so far I can only do NLB with W2K Adv svr...Is there a way to load NLB to W2K svr standard? thanks bill _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Frustrated with dial-up? Get high-speed for as low as $29.95/month (depending on the local service providers in your area). https://broadband.msn.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - NLB
thanks..already did so..just wondering if you had any more input on model's thanks all bill -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 1:30 PM To: Exchange Discussions Subject: RE: OWA - NLB You would have to contact the vendor and explain what your trying to accomplish and get the latest info. Hardware -vs- Network load balancing both have their place. From: Mellott, Bill [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: RE: OWA - NLB Date: Mon, 29 Sep 2003 13:24:45 -0400 Thanks..actually I am about to replace my main switches... Might you have an Idea which cisco units could do this PS to All...Actually you can add NLB to W2K stantard..BUT you must purchase Application Center 2000..which has NLB as one of it's components..and well then you have to purchase sometype of license cause you are now auth to 1 but hitting many. the cost of all this work out to be cheaper to purchase Adv Svr... thanks bill -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 1:19 PM To: Exchange Discussions Subject: RE: OWA - NLB You could do it if you use Cisco and or Alteon Load balancing switches to do Harware balanacing but costs may be the same as upgrading to enterprise version of Exchange. Soemthing to consider. From: Bolser, Scott [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: RE: OWA - NLB Date: Mon, 29 Sep 2003 13:07:08 -0400 Only supported on Win2k advanced server: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/windows2000serv/Default.asp It's listed under Increased Scalability -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 11:33 AM To: Exchange Discussions Subject: OWA - NLB Ive got my OWA-55 on a W2k svr...Id like to bring up second and do NLB between the two svr's... But from what Ive found so far I can only do NLB with W2K Adv svr...Is there a way to load NLB to W2K svr standard? thanks bill _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Frustrated with dial-up? Get high-speed for as low as $29.95/month (depending on the local service providers in your area). https://broadband.msn.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Frustrated with dial-up? Get high-speed for as low as $29.95/month (depending on the local service providers in your area). https://broadband.msn.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - NLB
Yeh Im finding thatI was just maybe thinking since I was going to get the new switches maybe I could also get some small NLB for not too many more kinda throw into the cisco switch..etc... Really all I want to do it NLB 2 - WWW and 2 - TS thanks bill -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 1:29 PM To: Exchange Discussions Subject: RE: OWA - NLB This isn't a standard Cisco switch thing. You would need a Cisco load balancer. Though I would probably look at F5 first. BTW, these kinds of things are $$$ -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 10:25 AM To: Exchange Discussions Subject: RE: OWA - NLB Thanks..actually I am about to replace my main switches... Might you have an Idea which cisco units could do this PS to All...Actually you can add NLB to W2K stantard..BUT you must purchase Application Center 2000..which has NLB as one of it's components..and well then you have to purchase sometype of license cause you are now auth to 1 but hitting many. the cost of all this work out to be cheaper to purchase Adv Svr... thanks bill -Original Message- From: Tony Hlabse [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 1:19 PM To: Exchange Discussions Subject: RE: OWA - NLB You could do it if you use Cisco and or Alteon Load balancing switches to do Harware balanacing but costs may be the same as upgrading to enterprise version of Exchange. Soemthing to consider. From: Bolser, Scott [EMAIL PROTECTED] Reply-To: Exchange Discussions [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Subject: RE: OWA - NLB Date: Mon, 29 Sep 2003 13:07:08 -0400 Only supported on Win2k advanced server: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/windows2000serv/Default.asp It's listed under Increased Scalability -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 11:33 AM To: Exchange Discussions Subject: OWA - NLB Ive got my OWA-55 on a W2k svr...Id like to bring up second and do NLB between the two svr's... But from what Ive found so far I can only do NLB with W2K Adv svr...Is there a way to load NLB to W2K svr standard? thanks bill _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Frustrated with dial-up? Get high-speed for as low as $29.95/month (depending on the local service providers in your area). https://broadband.msn.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA - NLB
Nope; that is not possible. -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 11:33 AM To: Exchange Discussions Subject: OWA - NLB Ive got my OWA-55 on a W2k svr...Id like to bring up second and do NLB between the two svr's... But from what Ive found so far I can only do NLB with W2K Adv svr...Is there a way to load NLB to W2K svr standard? thanks bill _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA front end server - licensing and security
Hi Ed I think you'll find that I followed my initial post with an immediate follow up that stated: Sorry, I should have said that it eliminates any key-logging concerns related to authentication - it obviously can't stop the actual recording of keystrokes by key-logging software. It will however, basically eliminate the possibility of someone gaining access to your email system using credentials left behind by one of your users which is where we happen to draw the line in terms of functionality/security. Greg -Original Message- From: Ed Crowley [mailto:[EMAIL PROTECTED] Sent: Friday, 19 September 2003 7:02 AM To: Exchange Discussions Subject: RE: OWA front end server - licensing and security Perhaps, but that's not what he said. Ed --- Steve Evans [EMAIL PROTECTED] wrote: It doesn't, but it keeps people from reusing credentials. At least I believe that's the posters point. Steve Evans SDSU Foundation -Original Message- From: Ed Crowley [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2003 1:40 PM To: Exchange Discussions Subject: RE: OWA front end server - licensing and security I don't see how that would stop key-logging. Ed --- Greg Marr [EMAIL PROTECTED] wrote: We have set up our OWA to require two-factor authentication (SecurID) which eliminates any key-logging concerns but this system is not cheap at approx $300 AU ($160 US) per user. The upside is that you can use the same system to authenticate all of your remote access users (dial-up, VPN, etc) and this is the function that really allows me to sleep well at night. I guess that it all depends on how many people are going to require this functionality and of course, your budget. Greg -Original Message- From: Erick Thompson [mailto:[EMAIL PROTECTED] Sent: Thursday, 18 September 2003 10:07 AM To: Exchange Discussions Subject: RE: OWA front end server - licensing and security We talked about this exact scenario. We decided that given how easy it is to install a key logger, and other malware, on public systems we decided it was too risky. We are planning on using public folders quite heavily with data that we can't risk getting out. Same with the address books. We are trying to figure out a way to give people access to email only from a public terminal. No public folders or address books. If you have any suggestions, that would be great. Erick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ed Crowley Sent: Wednesday, September 17, 2003 4:40 PM To: Exchange Discussions Subject: RE: OWA front end server - licensing and security ISA is a better solution in a DMZ because it doesn't require the plethora of holes in the internal firewall. http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/prodtechnol/isa/deploy/isaexch.asp Requiring VPN (your other message) is a good idea, however, you may be coming back to ISA or some other idea when your users demand to be able to get e-mail from a coffeehouse kiosk terminal. Ed --- Erick Thompson [EMAIL PROTECTED] wrote: I have to admit to being a little confused, how would ISA help, aside from being a proxy? Which isn't nothing, but I'm wondering if I'm missing something else. Thanks, Erick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Webb, Andy Sent: Wednesday, September 17, 2003 7:04 AM To: Exchange Discussions Subject: RE: OWA front end server - licensing and security Don't forget you also have to fully protect the front end server from all the other servers on the DMZ from which it is not isolated. Those other systems may have been placed on the DMZ in an insecure state with the thought that if anyone broke them, they would be isolated from the internal LAN. What happens when you put the FE in the DMZ is you break that theory. The DMZ is no longer isolated from the LAN. You definitely have to secure the FE, but once you have, why not put it inside where it is not at risk from questionable systems on the DMZ? Better to put an ISA server in the DMZ as was suggested earlier. Regarding IPSEC, Exchange 2003 explicitly states that IPSEC is now supported between front end and back end. So if you upgrade, that's perhaps an option. Though a lesser one than using ISA imho. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leeann McCallum Sent: Tuesday, September 16, 2003 6:32 PM To: Exchange Discussions Subject: RE: OWA
RE: OWA Messages View on Inbox
I had problems with that with users who were accessing from an AOL windows. For instance, when they connected to AOL and tried using the current window to go to OWA, things like you are explaining happened. The user had to open another instance of IE to get OWA to display properly. Also, I saw this with a Proxy being the culprit. Had to make changes on the proxy. Hope this helps. Samantha -Original Message- From: Woodruff, Michael [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 8:07 AM To: Exchange Discussions Subject: OWA Messages View on Inbox Exch2k3/Win2k3 When I open OWA the view I like to use is the messages view. When I use this view all I get is Loading in the message pane. If I switch to another view it works fine. This is happening to all other users on different browsers, so I am assuming its server side. Searched on KB with no luck. One article was talking about Netscape, but we are using IE. Anyone else experiencing this? Thanks. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Messages View on Inbox
You never use the AOL browser for OWA. IE works fine with AOL and that is what users should be using to access OWA. -Original Message- From: Bridges, Samantha [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 6:14 AM To: Exchange Discussions Subject: RE: OWA Messages View on Inbox I had problems with that with users who were accessing from an AOL windows. For instance, when they connected to AOL and tried using the current window to go to OWA, things like you are explaining happened. The user had to open another instance of IE to get OWA to display properly. Also, I saw this with a Proxy being the culprit. Had to make changes on the proxy. Hope this helps. Samantha -Original Message- From: Woodruff, Michael [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 8:07 AM To: Exchange Discussions Subject: OWA Messages View on Inbox Exch2k3/Win2k3 When I open OWA the view I like to use is the messages view. When I use this view all I get is Loading in the message pane. If I switch to another view it works fine. This is happening to all other users on different browsers, so I am assuming its server side. Searched on KB with no luck. One article was talking about Netscape, but we are using IE. Anyone else experiencing this? Thanks. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA Messages View on Inbox
This happens internal and external. We don't have a proxy server. Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bridges, Samantha Sent: Tuesday, September 23, 2003 9:14 AM To: Exchange Discussions Subject: RE: OWA Messages View on Inbox I had problems with that with users who were accessing from an AOL windows. For instance, when they connected to AOL and tried using the current window to go to OWA, things like you are explaining happened. The user had to open another instance of IE to get OWA to display properly. Also, I saw this with a Proxy being the culprit. Had to make changes on the proxy. Hope this helps. Samantha -Original Message- From: Woodruff, Michael [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 8:07 AM To: Exchange Discussions Subject: OWA Messages View on Inbox Exch2k3/Win2k3 When I open OWA the view I like to use is the messages view. When I use this view all I get is Loading in the message pane. If I switch to another view it works fine. This is happening to all other users on different browsers, so I am assuming its server side. Searched on KB with no luck. One article was talking about Netscape, but we are using IE. Anyone else experiencing this? Thanks. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchangetext_mode=lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
