[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Outlook Web Access - Best pracice with FW-1
I'm currently debating the same setup. What I've noted so far is that: - The OWA server is in the DMZ, while the Exchange server should stay on the LAN. - There's a registry edit in Exchsv 5.5 that lets you specify the range of random ports that it will connect to the OWA server with (or moreover, allow incoming SMTP). - Open those ports up between the OWA DMZ and the LAN, and only allow traffic from a static-NATted address given to the OWA server to the address of the Exchange server on the lan. I use 172.16.x.x here, so the address would be the "real" address of my OWA server -> the NAT address of the OWA server -> the 172.16.x.x address of the exchange server. If OWA is on a networked subnet, wouldn't it have to sit on the LAN? In which case you'd be allowing port 80 directly in, right? My .2c... - C -----Original Message----- From: Adams, Gavin [mailto:[email protected]] Sent: Thursday, January 18, 2001 9:54 AM To: Adrian Wilson; [email protected] Subject: RE: [FW1] Outlook Web Access - Best pracice with FW-1 Some thoughts: 1) Stick the OWA server onto a screened subnet 2) If running Exchange 2000, be prepared to open up Active Directory domain authentication between the OWA box (front-end) and the Exchange Server (back-end). As I understand it, Exchange 5.5 allows for a little better segregation between the front/back-end. 3) SSL the OWA box 4) If possible, drop a host-based IDS on the OWA box to check the IIS logs, system files etc. Network IDS for the screened subnet is even better. These are just a few best practices specific to OWA. HTH, --- Gavin -----Original Message----- From: Adrian Wilson [mailto:[email protected]] Sent: Thursday, January 18, 2001 07:23 To: [email protected] Subject: [FW1] Outlook Web Access - Best pracice with FW-1 I am intending to implement Outlook Web Access through to the Internet. I am concerned that the implementation should be as secure as possible and would like to gather information regarding best practice. Any help would be much appreciated. Adrian J G Wilson VEGA Group PLC ======================================================================== ======== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ======== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|