Many IT departments place systems exposed to
the Internet in their firewall’s demilitarized zone (DMZ). This
practice helps protect the servers from internal and external
attacks. Placing servers in a DMZ also protects the internal
network if an attacker compromises the exposed server.
You can place an Outlook Web Access (OWA)
server in a DMZ, but it requires a lot of configuration. First, you
must map the information store and directory service ports on the
Exchange server to static ports. Otherwise, the Exchange server
answers clients (including OWA) on a wide range of ports that
you’ll have to open.
You must also open ports 135, 137, 138, and 139
(among others) between the DMZ and your internal network in order
for OWA to function correctly. However, opening these ports limits
the effectiveness of putting an OWA server in the DMZ. If attackers
compromise the OWA server, they’ll have many ports going into the
private network to work with.
Because placing an OWA server in a DMZ offers
limited payback in terms of security as opposed to the amount of
configuration it requires, many organizations opt to place the OWA
server on the private network instead, which greatly simplifies
configuration. No static mapping of ports on the Exchange server is
required. Since the OWA server is still behind a firewall, it’s
just as protected against external attacks as it would be in a
DMZ.
For highly security-conscience organizations,
where every bit of extra security is worth it, placing the OWA
server in a DMZ is worth the hassle. The rest of us might consider
the alternative to be an acceptable compromise.