This tip was originally published in TechRepublic’s Exchange e-newsletter.

The problem
Many IT departments place systems exposed to the Internet in their firewall’s demilitarized zone (DMZ). This practice helps protect the servers from internal and external attacks. Placing servers in a DMZ also protects the internal network if an attacker compromises the exposed server.

The fix
You can place an Outlook Web Access (OWA) server in a DMZ, but doing so requires a lot of configuration. First, you must map the information store and directory service ports on the Exchange server to static ports. Otherwise, the Exchange server answers clients (including OWA) on a wide range of ports that you’ll have to open.

You must also open ports 135, 137, 138, and 139 (among others) between the DMZ and your internal network in order for OWA to function correctly. However, opening these ports limits the effectiveness of putting an OWA server in the DMZ. If attackers compromise the OWA server, they’ll have many ports going into the private network to work with.

Because placing an OWA server in a DMZ offers limited payback in terms of security as opposed to the amount of configuration it requires, many organizations opt to place the OWA server on the private network instead, which greatly simplifies configuration. No static mapping of ports on the Exchange server is needed. Since the OWA server is still behind a firewall, it’s just as protected against external attacks as it would be in a DMZ. For highly security-conscious organizations, where every bit of extra security is worth it, placing the OWA server in a DMZ is worth the hassle. The rest of us might consider the alternative to be an acceptable compromise.

What do you think of this article format?

Our editors are developing and refining new methods and formats for delivering the solutions you need. Do shorter, step-by-step pieces such as this one better help you overcome the IT problems that keep you up at night? Share your thoughts with our editors, and you could win a free TechRepublic book or CD of your choice.