: Friday, 19 September 2003 7:02 AM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
Perhaps, but that's not what he said.
Ed
--- Steve Evans [EMAIL PROTECTED] wrote:
It doesn't, but it keeps people from reusing
credentials. At least I
believe that's
:55
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
I couldn't tell you. Our dialup consists of dialing to what essentially
is a world-wide ISP, then firing up a Nortel VPN client. The Nortel
client is apparently pretty tightly integrated with SecurID - I'm
Intel bought them for next to nothing.
-Original Message-
From: Hurst, Paul [mailto:[EMAIL PROTECTED]
Sent: Monday, September 22, 2003 3:42 AM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
Yeah,
I remember them in my mainframe days, we used them
-MVP
Sr. Systems Administrator
Inovis Inc.
-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED]
Sent: Friday, September 19, 2003 5:43 PM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
S!!
Our security folks wanted
4:40 PM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
I don't see how that would stop key-logging.
Ed
--- Greg Marr [EMAIL PROTECTED] wrote:
We have set up our OWA to require two-factor
authentication (SecurID)
which eliminates any key-logging
.
-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Friday, September 19, 2003 5:44 AM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
It doesn't stop key logging per se, but it renders it ineffective.
The SecurID tokens use a three
-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
Sent: Friday, September 19, 2003 10:29 AM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
Forgive me for arguing, but I believe the time alloted for
guessing that
third factor is even less than
]
Sent: Friday, September 19, 2003 10:01 AM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
Actually, you've got the system down correctly.
However, the slack time is +/- 1 minute, so you really get 3 minutes per
code
.
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED]
Sent: Friday, September 19, 2003 2:21 PM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
I've
is NT 4 SP6a in an NT4 domain.
-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Friday, September 19, 2003 11:54 AM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
It really is a cool system.
We're currently using it for VPN
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
It really is a cool system.
We're currently using it for VPN access and front ending OWA, and we're
playing with it and some Cisco Aironet wireless devices - requiring
SecurID authentication before you get onto
the remote access market, then manage to lose everything
in such a short period of time.
-Original Message-
From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]
Sent: Friday, September 19, 2003 2:23 PM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
Thanks Ken.
-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED]
Sent: Friday, September 19, 2003 2:55 PM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
I couldn't tell you. Our dialup consists of dialing to what essentially is a
world
: Erick Thompson [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 17, 2003 8:07 PM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
We talked about this exact scenario. We decided that given how easy it is to
install a key logger, and other malware, on public
..
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 17, 2003 5:30 PM
To: Exchange Discussions
Subject: RE: OWA front end server
be great.
Erick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Behalf Of Ed Crowley
Sent: Wednesday, September 17, 2003 4:40 PM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and
security
ISA is a better solution
.
Greg
-Original Message-
From: Erick Thompson [mailto:[EMAIL PROTECTED]
Sent: Thursday, 18 September 2003 10:07 AM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and
security
We talked about this exact scenario. We decided that
given how easy
and of course, your budget.
Greg
-Original Message-
From: Erick Thompson [mailto:[EMAIL PROTECTED]
Sent: Thursday, 18 September 2003 10:07 AM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
We talked about this exact scenario. We decided
]
Sent: Thursday, September 18, 2003 1:40 PM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and
security
I don't see how that would stop key-logging.
Ed
--- Greg Marr [EMAIL PROTECTED] wrote:
We have set up our OWA to require two-factor
authentication
You could throw an OWA front end server in the DMZ, put certificate on as Ed
suggests, and then wrap everything up in an IPSEC packet that goes between
the front end and backend. Between the client on the net and the front end,
you would use SSL, so just open 443.
-Original Message
Yeah, but you can easily specify that only the front-end server could
use those ports.
Sincerely,
Andrey Fyodorov
Systems Engineer
Messaging and Collaboration
Spherion
-Original Message-
From: Ed Crowley [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 16, 2003 7:25 PM
To: Exchange
: OWA front end server - licensing and security
You could throw an OWA front end server in the DMZ, put certificate on
as Ed
suggests, and then wrap everything up in an IPSEC packet that goes
between
the front end and backend. Between the client on the net and the front
end,
you would use SSL, so
Don't forget you also have to fully protect the front end server from
all the other servers on the DMZ from which it is not isolated.
Those other systems may have been placed on the DMZ in an insecure state
with the thought that if anyone broke them, they would be isolated from
the internal LAN
We use a Network Appliance NetCache in the DMZ as a reverse proxy SSL
front end. Internet OWA users hit the NetCache with HTTPS, and the
NetCache decrypts and forwards HTTP to a front-end server. Works great,
but was a little pricey.
Also, because OWA likes to send out absolute URLs
). And no front end server. Our load doesn't justify a
front end server, and the security benefits don't seem large enough to justify the
expense.
But the IPSec idea is a good one. And, as I remember, you can place a lot of
restrictions on IPSec.
Thanks for the suggestions,
Erick
-Original Message
, September 17, 2003 7:04 AM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
Don't forget you also have to fully protect the front end server from
all the other servers on the DMZ from which it is not isolated.
Those other systems may have been placed
missing
something else.
Thanks,
Erick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Behalf Of Webb, Andy
Sent: Wednesday, September 17, 2003 7:04 AM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and
security
Don't
: Wednesday, September 17, 2003 4:40 PM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
ISA is a better solution in a DMZ because it doesn't
require the plethora of holes in the internal
firewall.
http://www.microsoft.com/technet/treeview/default.asp?url=/tec
September 2003 10:07 AM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
We talked about this exact scenario. We decided that given how easy it
is to install a key logger, and other malware, on public systems we
decided it was too risky. We are planning on using public
credentials left behind by one of
your users which is where we happen to draw the line in terms of
functionality/security.
Greg
-Original Message-
From: Greg Marr
Sent: Thursday, 18 September 2003 11:31 AM
To: Exchange Discussions
Subject: RE: OWA front end server - licensing and security
We have
I'm setting up OWA in my organization, and I have two choices. I can set up Exchange
on the web server (in the DMZ), and specify it as a front end server, or I can open
port 80 to the primary Exchange server. From a security standpoint, I really like the
first option, but I'm thinking that I
Instal a certificate on the front-end server and open
port 443 to the front-end server. Putting a front-end
server in a DMZ requires you to open lots of dangerous
ports through the internal firewall to the Exchange
servers, DCs and GCs.
Ed
--- Erick Thompson [EMAIL PROTECTED] wrote:
I'm
Ed,
I'm a little confused. You're recommending that I put in a front end server, but not
in the DMZ? It seems to me that I might have to open a bunch of ports, but if the
front end server is in the LAN, all ports are by default open.
Just to clarify, I have one Exchange server which lives
recommending that I
put in a front end server, but not in the DMZ? It
seems to me that I might have to open a bunch of
ports, but if the front end server is in the LAN,
all ports are by default open.
Just to clarify, I have one Exchange server which
lives on my LAN, and there is an SMTP server
Ok, I see what you're saying. What are the security benefits to having a front end
server inside of the LAN, as opposed to opening port 443 on the primary Exchange
server? It seems to me if the front end server is compromised, then your primary
Exchange server is just as vulnerable.
Thanks
There isn't a whole lot of security benefit except
that an attacker can't touch the Exchange back-end
server directly. But the front-end-back-end
architecture has never really been about security.
He'd have to compromise the front-end server by
breaking through your SSL security, then his agent
?
-Original Message-
From: Chris Scharff [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 27, 2003 9:38 PM
To: Exchange Discussions
Subject: RE: Front End Server
A. Insufficient data.
B. Probably, depending on the products in use.
-Original Message-
From: Fioon [mailto:[EMAIL PROTECTED]
Posted
Discussions
Subject: RE: Front end Server
OK,
Any one using an ISA Server in the DMZ connecting to an
Exchange Server
through the firewall?
I have been looking at some technet articles about a trihomed ISA
Server in the Perimeter network. Is this a better option?
Thanks for all
Dear All,
I am in the process of building a Front End server(Exchange 2000
enterprise sp3, to be placed in the DMZ, just for OWA. An IBM
workstation class machine with Pentium 4, 1.80GHz CPU with a 36GB HDD is
being used for this purpose. I am not expecting more that 20-25
concurrent connections
How many Exchange Servers, protocols and mailboxes will this FE Server be
load balancing?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Pillai, Raj
Sent: Wednesday, February 05, 2003 10:20 AM
To: Exchange Discussions
Subject: Front end Server
Dear
One Exchange Server, 200 mailboxes
-Original Message-
From: Charles Marriott [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 11:45 AM
To: Exchange Discussions
Subject: RE: Front end Server
How many Exchange Servers, protocols and mailboxes will this FE Server
be
load
Why do you think you need a FE server?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Pillai, Raj
Sent: Wednesday, February 05, 2003 10:45 AM
To: Exchange Discussions
Subject: RE: Front end Server
One Exchange Server, 200 mailboxes
-Original
via owa (secured with SSL).
Any other suggestions would be welcome.
Thanks
-Original Message-
From: Charles Marriott [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 11:49 AM
To: Exchange Discussions
Subject: RE: Front end Server
Why do you think you need a FE server
]] On Behalf Of Pillai, Raj
Sent: Wednesday, February 05, 2003 9:20 AM
To: Exchange Discussions
Subject: Front end Server
Dear All,
I am in the process of building a Front End server(Exchange 2000
enterprise sp3, to be placed in the DMZ, just for OWA. An IBM
workstation class machine
512MB.
Thanks Ed.
-Original Message-
From: Ed Crowley [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 12:20 PM
To: Exchange Discussions
Subject: RE: Front end Server
I would give it a try. You didn't say how much memory is in it,
however. Be sure that there's enough
To: Exchange Discussions
Subject: RE: Front end Server
512MB.
Thanks Ed.
-Original Message-
From: Ed Crowley [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 12:20 PM
To: Exchange Discussions
Subject: RE: Front end Server
I would give it a try. You didn't say how much memory
Discussions
Subject: RE: Front end Server
To keep the BE server secure ( do not want to open the OWA ports to
users who are not using VPN and dialup). Also we have a document
management software (imanage) which could be integrated to Outlook.
Since the users access the Imanage web portal via the web
To: Exchange Discussions
Subject: Front end Server
Dear All,
I am in the process of building a Front End server(Exchange 2000
enterprise sp3, to be placed in the DMZ, just for OWA. An IBM
workstation class machine with Pentium 4, 1.80GHz CPU with a 36GB HDD is
being used for this purpose. I am
Marriott [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 12:36 PM
To: Exchange Discussions
Subject: RE: Front end Server
If security is your goal use an ISA Server. FE Exchange Servers are not
security devices, contrary to what you may have been told.
-Original Message
: RE: Front end Server
OK,
Any one using an ISA Server in the DMZ connecting to an Exchange Server
through the firewall?
I have been looking at some technet articles about a trihomed ISA
Server in the Perimeter network. Is this a better option?
Thanks for all the ideas.
Raj
-Original
.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Pillai, Raj
Sent: Wednesday, February 05, 2003 2:49 PM
To: Exchange Discussions
Subject: RE: Front end Server
OK,
Any one using an ISA Server in the DMZ connecting to an Exchange Server
through the firewall?
I have
I was thinking of eliminating the FE Server if I implement the ISA, and
point to the exchange server directly.
-Original Message-
From: Charles Marriott [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 4:32 PM
To: Exchange Discussions
Subject: RE: Front end Server
You
Discussions
Subject: RE: Front end Server
I was thinking of eliminating the FE Server if I implement the ISA, and
point to the exchange server directly.
-Original Message-
From: Charles Marriott [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 4:32 PM
To: Exchange Discussions
Subject
Thanks for all the info.
Raj
-Original Message-
From: Charles Marriott [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 4:51 PM
To: Exchange Discussions
Subject: RE: Front end Server
Read Ken's post a few back on that. I agree with him and have taken that
approach
If you have only one Exchange back-end server, then that could well be a
fine idea. One advantage to a front-end server or a
network-load-balanced team of them is that you can have a single URL for
all users that won't redirect to the proper back-end server. That makes
firewall mapping easier
Hi
Would really love some advice on the following:
* had a single Exchange 2000 Ent server (SP3) and confirmed that
OWA was working;
* installed a new E2K server (SP3) and configured it to be a Front
End server;
OWA still works if you connect directly to the Back End server
Hi,
I configured a front end server and the domain is a single domain. There are no
additional virtual directories or servers then the defaults. The IIS instance serves
the IIS page however when I go to /exchange aspect of the URL it just spins and does
not deliver the owa instance.
Any
The front end server has to be able to pass SMTP to the backend servers,
because I'm betting the backend server(s) are the ones with an allowable IMS
for outbound mail?
--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly
on the Front-End
server.
I'm not sure why the messages are flowing to the front-end server, but
they
are. I was under the impression that this server was only supposed to
forward requests, not send mail. When I look at the properties of the
domains awaiting delivery in the SMTP queue on the Front-End
Having trouble getting POP3 access to work using Front-End server in a
DMZ.
Here's the environment:
PIX firewallDMZ that houses a Front-End Exchange SP3 serverPIX
FirewallLocal LAN with Back-End Exchange SP3 server.
Originally, POP3 was setup on the Back-End server and is presently
functioning
Do you have the ports open?
-Original Message-
From: Jeffrey Dubyn [mailto:jdubyn;optonline.net]
Sent: Monday, October 28, 2002 3:47 PM
To: Exchange Discussions
Subject: Troubleshooting POP3 Access to a Front-End server in a DMZ
Having trouble getting POP3 access to work using Front
:47 PM
To: Exchange Discussions
Subject: Troubleshooting POP3 Access to a Front-End server in a DMZ
Having trouble getting POP3 access to work using Front-End server in a
DMZ.
Here's the environment:
PIX firewallDMZ that houses a Front-End Exchange SP3 serverPIX
FirewallLocal LAN with Back-End
Send me the pix config
byron
-Original Message-
From: Jeffrey Dubyn [mailto:jdubyn;optonline.net]
Sent: Monday, October 28, 2002 12:47 PM
To: Exchange Discussions
Subject: Troubleshooting POP3 Access to a Front-End server in a DMZ
Having trouble getting POP3 access to work using Front
Is it possible to use an Ex 2000 front end server to proxy POP/IMAP connections
to an Ex 5.5 back end (all servers in the same site/admin group/routing group)?
Our tests suggest no, but if there is a way it would be really useful to us.
Cheers,
Norm
Your tests are correct.
-Original Message-
From: Patterson, Norman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 23, 2002 6:09 AM
To: Exchange Discussions
Subject: Front end server to 5.5 back end
Is it possible to use an Ex 2000 front end server to proxy POP/IMAP
connections
-
From: Ryan Malayter
Posted At: Monday, April 29, 2002 5:08 PM
Posted To: Exchange List
Conversation: Front-end server OWA problem
Subject: Front-end server OWA problem
I'm trying to configure a front-end server for OWA-only access. Mailbox
access is working fine, but when I go
I'm trying to configure a front-end server for OWA-only access. Mailbox
access is working fine, but when I go the the /public virtual directory,
I get:
HTTP 500 - Internal server error
Internet Explorer
After turning off friendly error messages in IE6, I see this error
OK, that's what I wanted to hear. I haven't tried this yet myself,
and wasn't sure if it was a known issue. My colleague did open a
support call, and hopefully we'll know soon if it is environment
specific or an architecture issue.
Thanks David for your responses.
Cheers all,
Karen
On Mon,
Here are the facts:
- The setting on an Exchange server This is a Front End Server in ESM
has no effect on SMTP. It only affects POP, IMAP, and HTTP. The design
of Exchange is that all Exchange servers are inbound servers for SMTP.
Outbound SMTP is controlled via SMTP Connectors.
- Some
Corporation
Protecting the world from PSTs and Bricked Backups!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Karen
McLaughlin
Sent: Friday, January 04, 2002 12:18 PM
To: Exchange Discussions
Subject: Front-end server problem
Hi all,
I'm about
Hi all,
I'm about to configure front-end servers for SMTP, but heard some
pretty distressing news about that today. I heard that inetinfo
will crash if the servers have any information stores of them,
but since the stores generate delivery status msgs, you can't have
the FE's as SMTP Gateways
DLL. 13. Click OK and apply the changes 14. Restart IIS
Admin service and W3SVC.
Mark H
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 30 November 2001 06:11
To: [EMAIL PROTECTED]
Subject: solution for running OWA5.5 as front end server
Hi,
I had read
72 matches
Mail list logo