General discussion

Locked

Outlook Web Access from the Outside Worl

By Aaron_Wurthmann ·
Some of my users are asking for OWA (Outlook Web Access, via Exchange 5.5 SP 3 ) from the outside world. I am not naive enough to punch a whole through my firewall straight to the Exchange box despite their suggestions, but I would like to accommodate them.

So far the only things that I can come up with are:
A) Install an IIS server with OWA on it in the outside world, with some sort of firewall and make it multi-homed straight into Exchange (which could also be multi-homed) via cross over cable.
B) I could just install the IIS server and create some sort of firewall rule that allows a certain port to talk to Exchange from the outside of the firewall from the IIS server only.

If I choose A) What firewall software for NT can aid me in this task?
If I choose B) What port does IIS or OWA use to talk to the Exchange server for information?
And of course there is C) Other suggestions.

Thanks.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Outlook Web Access from the Outside Worl

by otto3 In reply to Outlook Web Access from t ...

IMHO, OWA isn't worth for all of the trouble what it can cause. But that wasn't what you asked for. I'll give you my take on your solutions.
Solution A: Multi-homed servers wouldn't be a good idea. It won't provide any protection from hacking and actually would make it easier.
Solution B: That's do-able but leaves the IIS server vulnerable in the outside world. The ports needed to be open on the firewall could be 1225 for the information store and 1226 for the directory on the Exchange server. The changes needed to be made in the registry of the firewall. You can choose your own port as long as the port number is higher than 1023.
Solution C: Put the IIS and the exchange server behind the firewall and allow HTTPS only for OWA. Both the IIS and the Exchange server would be protected.
You can use MS Proxy 2.0, Check Point Firewall-1, or Gauntlet for firewall. I recommend Check Point.
Here's a link for more info:
http://www.slipstick.com/exs/owa.htm
Otto

Collapse -

Outlook Web Access from the Outside Worl

by Aaron_Wurthmann In reply to Outlook Web Access from t ...

I am attempting this now, but I ran into some trouble please see the posting tileted "OWA from the outside world via SSL"
Thank you.

Collapse -

Outlook Web Access from the Outside Worl

by mwb In reply to Outlook Web Access from t ...

Despite the relative problem with security, most implementations are simply a hole through the firewall to the exchange server. To increase security you should host IIS on a server separate from Exchange (Exchange also likes servers all to itelf!)Most firewalls will allow you to redirect traffic from an outside port to port 80 on your IIS. The key is to choose a strange port number for the outside so any oaf on the Internet can't simply trip over it (Firewall specific). Log activity across that port and if you can, choose a firewall that supports Out Of Band Authentication (OOBA). OOBA will place password protection (NT domain if you like) on the port you are attempting to use on the firewall. Axent's firewall does this this and I would be surprised to find that Checkpoint doesn't. I have a hard time considering MS Proxy a firewall.

Collapse -

Outlook Web Access from the Outside Worl

by Aaron_Wurthmann In reply to Outlook Web Access from t ...

there are several port http hacks on port 80, and the idea of security through obsecurity doesn't work. especaily since I am being port scanned by script kiddies daily.
thank you for your answer.

Collapse -

Outlook Web Access from the Outside Worl

by garetjax In reply to Outlook Web Access from t ...

First, a question: Do you allow incoming SMTP mail to your Exchange server? If so, you have already "exposed" your Exchange server.

I would suggest allowing your users to access Exchange via OWA and I would put IIS on your Exchange server. If you are diligent about keeping up with the assorted IIS patches/security updates/recommended IIS config, your exposure is minimal. You need open only TCP port 80 to the outside world to enable OWA.

I would also skip options A & B. They are no more secure than the solution above but they add several more layers of complication. Apply the KISS principle.

Good luck.

Collapse -

Outlook Web Access from the Outside Worl

by Aaron_Wurthmann In reply to Outlook Web Access from t ...

there are several port http hacks on port 80, and the idea of security through obsecurity doesn't work. especaily since I am being port scanned by script kiddies daily.
thank you for your answer.

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums