Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

put exchange or owa in dmz ? which opens more ports on pix

Status
Not open for further replies.
quell

quell

IS-IT--Management
Nov 8, 2002
363
0
0
US
I plan on establishing a DMZ and can't decide if I should put the Exchange server in the DMZ or leave it in the LAN and put the OWA in the DMZ. I don't like the idea of opening up more ports on my pix 515. Basically which would open more ports on the pix? exchange on the dmz or owa? What do you guys think?
 
Sort by date Sort by votes
Hi,

I'm not sure which opens more ports but I am sure that putting the Exchange server is the least secure. I recoomend putting OWA on the DMZ.

Lou
 
Upvote 0 Downvote
We struggled with this one quite a bit. If we stuck OWA on the DMZ, that menas we would be opening a ton of rules to allow it to talk to our domain. if we put OWA on the inside, then the whole concept of a DMZ would be circumvented. In the ned, we chose a slightly different approcah, which we felt was the lesser of all evils.

We put a Linux box in the DMZ, running Apache and mod_proxy. We then opened port 443 from the outside to the proxy on the DMZ. Then we added a rule on the DMZ to permit only 443 from the proxy to the OWA server, which is on the inside.

Internet users access only the proxy server. Only the proxy server can access OWA. It's not perfect, but it at least presents one more barrier to breaking in.

 
Upvote 0 Downvote
HI.

Another alternate solution which is more secure, is simply not to allow access to your Exchange server from the Internet.
If you have only few specific roaming users that need web access, you can keep Exchange internaly, and instead of OWA server, implement another mail server (either Exchange or any other server that you like) which will be in DMZ.
The internal exchange server will be configured to forward a copy of all incoming mail for the roaming users to the DMZ server. The roaming users can access that server using web access.

Advantages: better security. No open ports to the inside, and you only publish and risk a copy of few mailboxes instead of your whole Exchange server.
Disadvantages: Like any solution it is not perfect, you'll have to think how to manage duplicate mailboxes, etc...
One option is to configure those roaming users to read mail only from the DMZ server and not from Exchange.

It is similar to "mail relay" but in the reverse direction.

I have not yet implemented such a solution, but you can consider it.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Always put OWA inside the DMZ as you only then need to give access to port 80 from the outside world. Assuming the remainder of your PIX connected to the internet is secure, this is the best way to provide OWA.

All the best

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
146
Johnkite
Johnkite
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
146
Sameer258
Sameer258
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
126
AllenH12
AllenH12
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
56
PauS0n
PauS0n
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
54
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top