Hi
I'm coming under increased pressure to make our Exchange server available over the internet - can anyone give me some guidance on the best ways to secure our network if I do this. I'm pretty sure that I'll have to provide a webserver connected to our student database too - so perhaps these should be co-located?
Any help or pointers gratefully received.
Cheers
They need to be seperated from the rest of your internal network. The classic way to do this is to setup a DMZ on your firewall.
SpuffMonkey (nice name btw)!
I did this for a school by installing a cisco pix 501 firewall at a school allowing only email related traffic through.
The plus side of this was that I was able to utilise the firewalls VPN capabilites as well to allow key users to log into the firewall and RDP into a server. This allows me to remotely administer the server and for users to access SIMS via the VPN tunnel.
If you need anymore info, let me know.
Bubba.
dont forget to get a cert and run ssl, passwords are sent in plain text by default(!)
Definately one to check out would be MSExchange.org.
I've found a hell of a lot of useful info there.
Absolutely RobC!
http://www.msexchange.org/tutorials/...rtificate.html
is an excellent article on setting up a free certificate from StartCom for OWA publishing - could be useful to you Spuffmonkey...
Yep yep - i been looking at that for a while this morning [whilst helping the head with her emails, amongst other things].
Did the SelfSSL guide and managed to get the non-windows authentication slightly sorted.
Just need to hack the login.asp file to remove the domain part in the logging in fields [its on the msexchange.org article list somewhere - not got the links to hand sorry for direct info but its a great great place]
Cheers
Nath.
The advice from MS is to set up exchange in a front end back end scenario (using server 2003 and exch 2003), having both on the internal network and securing with ISA 2004 in front if you wish with another firewall infront, ISA 2004 does everything you need to publish the FE/OWA server to the internet, it will also do application layer filtering to make sure the traffice is really OWA traffic and not an attack
this way you only need to open 443 for internet traffice and 25 for SMTP
if you have it in a DMZ you need to all ports on your back firewall for the exch FE server to talk to you BE boxes, GC servers, DC's etc
you can setup your own Certificate Authourity (CA) on your Windows domain, if only your users are going to use the OWA site they should be able to trust your CA.
this week i am mostly on an ISA course and just done the exch module
oh to go on a course - you must be blessed chris hehe
front end back end [i read about that while checking out various MS / msexchange.org guides] setup is indeed best - but cost dont allow it i'd wager. Doesnt with us anyhow lol
P.S. Sorted the login.asp - along with a bit more customisation too
Cheers
N.
SpuffMoney,
Agree with most stuff with front end and back end exchage server setup but with this things do get slighly complicated so if you want to publich owa then on your firewall you need to open up port 443 (HTTPS) inbound. This will allow external users to reach your exchange server for outlook web acces.
To allow your exchange server you need to have rule which allows 25 (SMTP) outbound to allow the mail server to send emails and also a rule of 25 SMTP inbound to recieve emails.
You can do this in ISA Server 2004 quite easily. it also have a new OWA forms based authentication which authenticates the users at the ISA server before allowing access to the mail server, making it even more secure.
One thing to remember with isa is that the traffic outbound will always go out on the primary IP address that is allocated to the external interface on isa.
Few things to think about.
MX records,
A record in your domain
public IP address for the mail server and owa
HTH,
Ashok.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
