Author: Jan Johansson Date: To: SpamTalk, Steve Thomas, Kevin Reed CC: exim-users Subject: RE: [Exim] OT - Why you should not put Exchange on the Internet.
> OWA (Outlook Web Access) is NOT designed to provide internet access to > exchange servers. It was designed to allow a large enterprise (hence why > it
> is available only on in the Enterprise Edition of Exchange)
Uhm, no. Its afaik in all versions of exchange.. Since it is in Small
Business Edition, which uses Exchange standard.
> Even properly installing it by "isolating" it behind a additional firewall > interface is dicey at best. The OWA server has to be a member of the
> domain
> and there are about 15-20 holes you have to punch in the firewall to get > it
> to talk to a GC and the primary Exchange server(s). A very high risk
> security footprint and a very foolish thing to do. I liken it to building > a
> woodshed using the handle of a Craftsman screwdriver as a hammer (so you > can
> take it back to Sears for replacement after you chip the handle off the > shaft.
>
Overkill. Most intelligent firewalls allows on-the-fly-auth.
Like I have done for a client using Netscreen Firewalls, set up a
mapping to the IIS web server from an external point. Combine ith with
WEB-auth, which means that the user has to authenticate (Preferably via
SSL) against the firewall before the actual mapping to the IIS is
opened.
> If you must provide internet access to exchange, use terminal services or > IPSEC/VPN tunnels to create a virtual connection to the LAN, even then you > need to install group policies to require AV and other security
> requirements
> the machine making the VPN connection so it does not bring a virus in
> behind
> the firewall.
Or, move to Outlook/Exchange 2003 which uses RPC-over-http(s) which
works like a charm.
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft
Exchange.