How to configure OWA in a DMZ

It may be desirable to install or move your Outlook Web Access Server to a DMZ (De-Militarized Zone). This solution gives high degree of security against external attacks on the intranet. To make this configuration work, it is necessary to open some additional channels between the DMZ and corporate network.



<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

These steps are assuming you are using Exchange 5.5 in an NT4 domain:

1. A required port is TCP Port 135 in order for RPC communication required by
Exchange Server to occur.

2. It is also necessary to open ports on the firewall for the Microsoft Exchange Directory Service (DS) and the Information Store (IS). Exchange will use dynamic
port numbers above 1024 for these services. To make this more secure, it is recommended these ports be statically mapped on the Exchange Server and then opened on the firewall. For additional information on configuring the static port mappings, click the article number below to view the article in
the Microsoft Knowledge Base:

155831 XCCC: Setting TCP/IP Ports for Exchange and Outlook Client Connections
http://support.microsoft.com/?id=155831

If you have multiple Exchange Servers that will be using this OWA server, the same port number for each service needs to be open on each Exchange Server. For example, if you have 5 Exchange Servers, and port 4474 will be mapped for the Directory and port 4475 will be mapped for the Information Store on each of the 5 servers. Only those 2 ports need to be open on the firewall opposed to 10 ports if different ports were mapped for the DS and IS on each server.

3. If the OWA installation occurs after the server has been moved to the DMZ, then a port for the System Attendant needs to be statically mapped and open on the
firewall during the installation. Once the installation has completed, this port does not need to remain open.

For additional information on static port mappings for the System Attendant, click
the article number below to view the article in
the Microsoft Knowledge Base:

245273 XWEB: OWA Setup Error Message: There Are No More Endpoints Available
http://support.microsoft.com/?id=245273

4. Depending on factors, such as firewall vendor and network topology, the following ports may need to be open for authentication:

UDP port 137 NetBIOS Name
UDP port 138 NetBIOS Netlogon and Browsing
TCP port 139 NetBIOS Session

If OWA does not work with the ports open in steps 1-3, you may need to open one or all of the ports listed above. Additional testing will need to be done to
determine which ports need to be open for your specific environment.

For additional information, click the article number below to view the article in
the Microsoft Knowledge Base:

179442 How to Configure a Firewall for Domains and Trusts
http://support.microsoft.com/?id=179442

Other Considerations
=====================

1. The server that you install OWA on must be able to verify the service account on the Exchange Server computer that you indicated. For this to succeed, the IIS and OWA server must either be in the same Windows NT domain as
the Exchange Server computer, or have a trust relationship established with the domain that the Exchange Server computer resides in.

2. It is also necessary to apply the Microsoft Exchange Service pack that is on the Exchange Server to the OWA server to avoid problems due to mismatched dlls. The
Exchange Service Packs also contain fixes specific to Outlook Web Access.

3. In this configuration, the NTLM authentication protocol, referred to as NT Challenge Response on NT 4 and Integrated Authentication on Windows 2000, will not
work. This is because NTLM only propagates over one network hop (that is, the hop between the browser and the IIS/OWA server). Use of Basic/Clear Text authentication
as an alternative will allow browsers to access all resources regardless of the location of the Exchange Server computer. For more security and to prevent
passwords from being sent in clear text, the use of SSL with Basic/Clear text is
recommended.

For a more detailed explanation of these authentication methods, click the article number below to view the article in the Microsoft Knowledge Base:

183545 XWEB: NTLM Authentication Fails Between Two Computers with OWA
http://support.microsoft.com/?id=183545


MORE INFORMATION
================

For additional information, click the article numbers below to view the articles
in the Microsoft Knowledge Base:

234022 XCLN: Configuring Exchange OWA to Use SSL
http://support.microsoft.com/?id=234022

238954 XWEB: OWA Server Connectivity over a Firewall or Proxy Which is Using
http://support.microsoft.com/?id=238954