RE: [Exim] OT - Why you should not put Exchange on the Inter…

Top Page

Reply to this message
Author: Jan Johansson
Date:  
To: SpamTalk, Steve Thomas, Kevin Reed
CC: exim-users
Subject: RE: [Exim] OT - Why you should not put Exchange on the Internet.
> OWA (Outlook Web Access) is NOT designed to provide internet access to
> exchange servers. It was designed to allow a large enterprise (hence

why
> it
> is available only on in the Enterprise Edition of Exchange)


Uhm, no. Its afaik in all versions of exchange.. Since it is in Small
Business Edition, which uses Exchange standard.

> Even properly installing it by "isolating" it behind a additional

firewall
> interface is dicey at best. The OWA server has to be a member of the
> domain
> and there are about 15-20 holes you have to punch in the firewall to

get
> it
> to talk to a GC and the primary Exchange server(s). A very high risk
> security footprint and a very foolish thing to do. I liken it to

building
> a
> woodshed using the handle of a Craftsman screwdriver as a hammer (so

you
> can
> take it back to Sears for replacement after you chip the handle off

the
> shaft.
>



Overkill. Most intelligent firewalls allows on-the-fly-auth.

Like I have done for a client using Netscreen Firewalls, set up a
mapping to the IIS web server from an external point. Combine ith with
WEB-auth, which means that the user has to authenticate (Preferably via
SSL) against the firewall before the actual mapping to the IIS is
opened.

> If you must provide internet access to exchange, use terminal services

or
> IPSEC/VPN tunnels to create a virtual connection to the LAN, even then

you
> need to install group policies to require AV and other security
> requirements
> the machine making the VPN connection so it does not bring a virus in
> behind
> the firewall.


Or, move to Outlook/Exchange 2003 which uses RPC-over-http(s) which
works like a charm.

###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft
Exchange.