Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Exchange Server and External Access

From: "Rick Kingslan" <rkingsla () cox net>
Date: Fri, 22 Aug 2003 19:35:56 -0500
Cherian,

Make use of the Front End/Back End capability of Exchange when hooked up
with Outlook Web access.  You would put the OWA box in your DMZ (IIS is
here, treat as untrusted and be sure to implement full lockdown - URLScan
must be modified, but this is well documented) and enable SSL.  Your
external interface would expose 80 and 443, the port requirement from the
OWA server to the Back End Exchange servers would be HTTP - Port 80 only.

All of the authentication/authorization takes place behind the OWA box -
much less exposed to untrusted sources.  Because the only option for
authentication between the FE and the BE is Basic, it is sometimes suggested
(and urged) to SSL the traffic between the FE and the BE.  The BE server
will handle the communication to the DCs and the GC (or GAL, whichever way
you want to look at it).

So, to summarize - External, Port 80 and 443.  OWA(FE) to Exchange Server
(BE) Port 80 or 443 (if security of user name and password is desired
between FE and BE).

All of this assumes that the most critical element, the Exchange server with
the message stores, is on the Internal, or most trusted network.  Hence, no
port concerns would be in play for RPC, GC, LDAP, or any other squishy
Microsoft-type traffic..

-rtk

-----Original Message-----
From: Cherian M. Palayoor [mailto:cpalayoor () cwalkergroup com] 
Sent: Friday, August 22, 2003 12:26 PM
To: security-basics () securityfocus com
Subject: Exchange Server and External Access

Hi,

We presently use the Std edition of Exchange 2000 as a mail server for our
internal users, behind the Firewall.

However we would like to grant mailbox access to external users outside the
Firewall.

What would be the most secure and efficient method of accomplishing this. 

One stream of thought that I have been entertaining is having a separate
Exchange/Mail  Server on the DMZ.

Now this solution would result in having to maintain 2 separate mailboxes
for internal and external users. This creates problems for users who would
access their emails from both inside and outside the office.

How can I workaround this problem.

Thanks in advance for any suggestions.

Regards

CP


 Scanned by Webshield E250



---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: