Enabling OWA for Access outside of the Network

[wmichael]

owdy;

I am running Exchange 5.5 on an NT 4 box. All the correct SPs are applied.

I have recently enabled OWA and users are able to connect via IP if they are behind our firewall. The IP address is, of course, one of those non-routable ones.

Can someone detail for me what the next steps would be for making this resource available outside of our firewall? I have a partial picture, but want to cover all the bases.

Thanks in advance.

~wmichael

"small change can often be found under seat cushions"

 

[DeltaV]

What do you mean by 'Non Routable IP's' ?

All you really should need to do now is open up port 80 (HTTP) on your firewall, and point it to the internal IP of your OWA Server. From there you just need to to decide how you want to allow internet traffic in.

DV

 

[Slik]

Check out the following it may or may not give you the info you need.

http://support.microsoft.com/support/exchange/content/whitepapers/whitepapers.asp

Let me know if this helps, if not I may be able to pass on some other info for you.

 

[Andyleates]

Think very carefully before opening up youe exchange server to the internet, even if it is only port 80.

It is comman practice in many companies to run OWA on a server other than the exchange server and then site this server in a DMZ. There are probably even better ways of doing it.

Andy

Andy Leates MCSE CCNA MCP+I

 

[guylewis]

To access OWA you would only need to open port 80(http), but this exposes your your server to the harshness of the internet. Also by opening up the server like this all email viewed by a user is sent in plain-text mean anyone that wishes to snoop can read any email open by the user.

The best solution (while still being able to access email from the internet) is this.
Setup a DMZ (that is a firewall between the OWA server and the internet and another firewall between the OWA server and the Exchange server) then configure SSL for encrypted communications with the client browser. Also ensure that all of your servers and firewalls have the latest patches and that you lock down the firewalls to pass only essential traffic.

Anything less and you are leaving yourself open for being compromised.

 

[wmichael]

Excellent thoughts, all.

What I mean by 'non-routable IPs' are those in the 192.168.x.x and 10.x.x.x, etc. ranges that are generally denied on the endge routers.

I liked the idea of setting up OWA on a seperate server outside the DMZ. Maybe I'll wait until I get the PIX installed before mucking about.

Rock on,

~wmichael

"small change can often be found under seat cushions"

 

[hollywood1989]

Well, I have a better sugestion than the two above, plus it keeps your Exchange server in a safer position. Install Exchange server to another server. Follow the instructions for this link,

http://support.microsoft.com/support/exchange/content/whitepapers/owaguide.doc

but instead of opening a port, install 2 NIC's in the machine and connect one to your LAN and one into your DMZ. What this also does is allow for you to create the webpage for your DNS easier since you have a direct link to the IP address. This has not been a problem for me and I have been running it for the last year. If you have other questions contact me.