From: Jason Rahl (rahlj@cooley.edu)
Date: Wed Apr 11 2007 - 09:38:37 EDT
You should have them place an OWA server in the DMZ and use IPSec policies between the OWA front end server and the backend exchange servers on the internal network. That way you only have to open 2(or 3) ports for ipsec between the servers from internal to dmz. It limits the exposure as you only need to open 443 and 80 to the server from the Internet. If they are trying to have users access directly to the Exchange servers from a remote site or the Internet I would get the exact IPs and open only to the defined IP range or make them use a VPN. If they are asking to open to the Exchange server directly from the Internet I would get them to sign off on this with something that spells out the risk of indiscriminately opening up MS ports to the entire Internet.
Jason
>>> "Wiedemann, Adrian" <Adrian.Wiedemann@rz.uni-karlsruhe.de> 04/11/07 3:52 AM >>>
Hi,
> to forward ports on the PIX from the Internet to internal servers. I
> have
> explained that port forwarding is very risky but they don't seem to
> understand. Are there any publications that can be used to show the
It boils down to the Exchange-Server setup. If he is using a
frontend-backend Exchange configuration and requests port 443 to be
forwarded, I see no inherent security concerns about this. In general, I see
no security implications about forwarding ports. I just depends on the
servers, on which these ports are forwarded to.
Regards, Adrian
Ret
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:43 EDT