OWA Deployment scenarios

[JVKAdmin]

Hi,

I would just like to ask everyone what's required for deploying OWA 2003 properly.

We have a single exchange 2003 server that is a 2003 DC. we have a firewall which is not ISA server. I'd like to know what my options are as far as protecting this server given our current environment.

Do we need ISA server in order to do this properly (how much risk is involved with going with something else ?)

Thanks

Kevin

 

[NickFerrar]

'Properly' doesn't mean much in this context, there are various methods to do it, all acceptable but may offer varying degrees of security.

If you can't buy any more stuff you're probably limited to NATing to the Exchange box on your existing firewall. This is fairly weak in that you're letting unauthenticated traffic onto the box (it's even weaker if the firewall can't do packet inspection to at least verify it's http/https packets).

The way I've done it is a Checkpoint firewall at the edge, then an ISA2004 box publishing OWA which connects via an SSL bridge to an Exchange frontend server which in turn connects to the backend server. this is a fair bit more secure as the ISA box in authenticating the OWA requests. If you have budget for it I'd recommend a similar scenario (you don't have to worry about the frontend Exchange server though if it's not a very big Exchange organisation).

You could take it even further with isolating the ISA server in it's own workgroup or forest and using RADIUS etc. to authenticate but that was more hassle than I thought it was worth for the marginal security improvement (the ISA box in my case is a member of our internal forest).

 

[JVKAdmin]

Nick,

Thanks for the response. We have a small environment. We do not have a large budget. (under 70 users in total).

Is the only way to securely publish OWA, to use ISA Server or are there other appliances or software that can do this relatively cheaply ?

Also, we don't own ISA and I have never used it.

Could we not just simply use SSL certificates and NAT through HTTPS traffic to the exchange server and set up Forms based authentication on the exchange server ? Our firewall does provide some kind of HTTPS filtering/proxy but its limited and not near the extent of an ISA server.

My biggest concern here is that the exchange server is also our DNS, DHCP and AD server and I don't want to compromise security but at the same time try to get something thats relatively secure (and easy to setup/maintain).

On another note do you know of any website that has some good network layout diagrams for some typical deployment scenarios for OWA ? That would be helpful.

Thanks.

Kevin

 

[NickFerrar]

Well the way you describe doing it will certainly work and you'll have some security through using encrypted passwords. However the basic fact remains you are letting people right through to your internal network without having first authenticated the traffic. How easy it is to exploit that I don't know but it's something you're generally advised to avoid.

In terms of cost and easy of setup/managability ISA2004 is a pretty good choice, I don't have experience with other products though.

As for network diagrams, I used a few docs from the

http://www.microsoft.com/exchange

and

http://www.isaserver.org

websites but these were based around ISA being involved.

 

[blakey2]

Have a look at setting up a reverse proxy.

You would do this on a machine running in the DMZ.

I believe you can do it with squid, though we use apache.

The apache box is also our webserver (with reverse proxy modules compiled into it).

Cheap as chips as you can almost use any old extinct PC ( I think we use a PIII 600)

Read:

http://3cx.org/item/46

and others:

http://www.apacheweek.com/features/reverseproxies

http://www.serverwatch.com/tutorials/article.php/3290851

Cheers - would write more but it is friday night and time to go home!

-Chris.