General discussion

Locked

Outlook Web access

By NICS ·
I have reservations about using Outlook Web Access. At the moment we have no internal web servers, and use VPN for remote email access. Can you give me some feedback or advice on OWA & security.

Thanks.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

I've used OWA for years.

by LordInfidel In reply to Outlook Web access

Several tips.

Hopefully you have your network subnetted.
If so Make it multihomed, (that is put 2 nics in it). On the external interface, make it so that only requests to 443 will be answered.

Why 443 and not 80, you want to force everyone who connects to use ssl. Now you don't have to go and buy a cert. Just generate your own self signed cert. It will display a warning when the users connect, but who cares, it's just your users.

Obviously the internal nic needs to be on the same subnet as your exch server and DC. ***Make sure that routing/IP Forwarding is not installed or enabled. This will defeat your purpose.

Make sure your firewall rules are very restrictive. That is the public can **ONLY** contact that machine overtcp 443.

Also, DO NOT install OWA on the exchange server.
Make it it's own dedicated box. While it may seem like a waste of hardware. Keeping services seperate is critical to security. Plus, everytime someone logs onto OWA, it spawns a new outlook session. When you have alot of sessions open, it will severely degrade the machine.

And do not forget to bastionize the **** out of the machine. IIS security still applies here. MAke sure you remove all of your default mappings.
(except for the 4 needed for asp)

Collapse -

CISSP

by Jellimonsta In reply to I've used OWA for years.

Hey LI, how is your CISSP cert track coming along?

Collapse -

On hold for now....

by LordInfidel In reply to CISSP

alot of major projects have come up.

New SAN design and install (which just arrived today, 2 terabytes of fun), rearchitecting the production network, moving several colo facilities.

But I am trying to use their model's and such when buildingout the new networks.

Collapse -

I hear ya!

by Jellimonsta In reply to On hold for now....

I too have put my training on hold. I am in the process of designing the network infrastructure reorganization, plus NT4 to 2000 AD upgrade. As well as the Exchange 5.5 to 2000 upgrade. We also have other projects in the mix too so it is all fun, fun, fun! Good luck with the SAN.

Collapse -

OWA

by Jellimonsta In reply to Outlook Web access

Provided you perform the security steps necessary, OWA is extremely beneficial. Using VPN is fine for the majority of remote users, but using OWA allows any of your Exchange users to view their Email from any Internet connected PC anywhere in the world.

Collapse -

Thanks

by NICS In reply to Outlook Web access

Thanks for the input - much appreciate as always.

Back to Security Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums