Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

External Access, Is this correct ?

Status
Not open for further replies.

rogerpatel

Technical User
Jun 14, 2005
120
Hi, can you please advise and if wrong let me know what i need to do.

I have a small domain running 2003 sbs, we use exchange and file and print.

Our firewall is setup to allow HTTP & HTTPS in to the SBS server, this is so users can access OWA etc.

We have setup a MX record for the server for mail etc.

From outside the office anywhere we can type the following:


We are the presented with a IE Security Aler, of which we click YES.

No we get the SBS Welcome Screen, this gives us the options for :

My companys internal web site : dont work, dont work, dont want it.

Network Config wiz : dont work, dont work, dont want it.

Remote web workplace : works, and takes you to the RWW login screen, from here my users can access their computers.

Here are my questions :

Anyone in the world can go to is this correct, is there not meant to be some sort of login prior to this?

Is this how everyone else sets the SBS systems up, please bare in mind they have a requirement of being able to access OWA,RWW any where in the world and not from there own computers so VPN is a BIG NO.

The Firewall is open for all for HTTP and HTTPS as the users remote ip addresses are always different (there home isp's do not give them static addressed so we cant lock it down.)

Thanks and hope you understand what we are trying to do here.

Roger
 
I'm no Guru, however based on your post, your server is essentially open to the internet. That scares me personally. I think that's why the VPN was created. To allow your users access to server resources through an unsecure network (internet)

We use VPNs for our external users and do not allow HTTP requests to the server. If the file and print server went down from an internet attack or vulnerability imagine the consequences.
 
There isn't a need for VPNs here. In fact, there are some other issues that cause VPNs to NOT be a desired solution (including licensing).

You should implement an SSL certificate. That will eliminate the security alert. You could then disable HTTP and use just HTTPS to access OWA and RWW. Then:

path to OWA path to RWW
On the firewall, you'd close 80, and just forward 25,443,3189, and 4125 to the server for SMTP,SSL,RDP,RWW respectively.

I have several hundred SBS boxes this way. Works great.

Pat Richard, MCSE MCSA:Messaging CNA
Want to know how email works? Read for yourself -
 
Snipper,

Few,

i was getting worried there, i too have around 30 sbs servers setup like this.

Can yoy please explain in more detail how SSL Certifices work.

We have installed the MS Certificate services on our servers as we also have rpc over htpp installed, i understand this is a free one.

Are you saying that we should buy one and install this, if so i still dont understand how this secures it as anyone can simply hit yet on the security screen, or am i missing something.

Thanks

Roger
 
SSL encrypts the connection, making it more secure. It also removes the need for port 80, a common target for attacks.

I'd buy a third party certificate from someone like rapidssl.com and install it. That'll get rid of the security prompt. It's much cleaner that way - especially when users start using IE7, which recommends that they not continue after getting the security prompt.

Pat Richard, MCSE MCSA:Messaging CNA
Want to know how email works? Read for yourself -
 
Cheers 58Sniper,

But still tottally confused.

Ok, lets say i buy a cert and shut port 80 down, whats stopping people from accessing the front owa logon page still.

Or is this by design and the way its meant to be....

I was thinking by buying a certificate it stops people accessing the actual site, am i tottally wrong here ?

Thanks mate
 
That's by design and the way you want it to be. Without credentials, they're not getting in. Anything more complex and you're going to turn off your users.

Buying a cert just gets rid of the security prompt, and encrypts the data going back and forth. It doesn't stop people from getting to that page.

Pat Richard, MCSE MCSA:Messaging CNA
Want to know how email works? Read for yourself -
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top