OWA authentication from DMZ to trusted

[steve1968]

I have OWA setup in the DMZ. Exchange 5.5 bridgehead server on trusted, with a further 5 Exchange 5.5 servers at other locations off the bridgehead. The OWA server looks to the bridgehead for the mailboxes etc. However, for domain authentication to take place when logging on to OWA at present, I have to allow all ports open from the DMZ to trusted. This is not acceptable and I need advise as to which ports I need to open to allow domain authenitcation. I have read all the Technet articles, but these do not seem to help.

 

[Ntr0P]

Let me preface with this... It is recommended by many knowledgeable folks on the Exchange lists to not put OWA on the optional interface (DMZ) because of all of the ports that are needed to be opened between the OWA server and the Exchange server and the domain controllers. Opening all of these ports substantially reduces the value of an isolated DMZ - which is then must less isolated if you do this. Consider just having SSL (HTTPS) to your OWA server and keep your OWA server on the trusted interface. This is generally considered a much more secure implementation.

As for the configuration question you had, rather than point you back to the same articles, what specifically did you have a question about?

 

[steve1968]

As I said, just a list of the required ports that are essential for domain authentication.

 

[steve1968]

Thanks for the last advice. I have now set up as you suggested the OWA server on the trusted domain and confgured the Firebox to allow HTTPS traffic in only. Without doubt, this is the safer solution.

Regards.