+ Post New Thread
Results 1 to 10 of 10
Wireless Networks Thread, Securing Exchange/Outlook Web Access in Technical; Hi I'm coming under increased pressure to make our Exchange server available over the internet - can anyone give me ...
  1. #1

    SpuffMonkey's Avatar
    Join Date
    Jul 2005
    Posts
    2,224
    Thank Post
    54
    Thanked 276 Times in 184 Posts
    Rep Power
    133

    Securing Exchange/Outlook Web Access

    Hi

    I'm coming under increased pressure to make our Exchange server available over the internet - can anyone give me some guidance on the best ways to secure our network if I do this. I'm pretty sure that I'll have to provide a webserver connected to our student database too - so perhaps these should be co-located?

    Any help or pointers gratefully received.

    Cheers

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Securing Exchange/Outlook Web Access

    They need to be seperated from the rest of your internal network. The classic way to do this is to setup a DMZ on your firewall.

  3. #3

    Join Date
    Aug 2005
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Securing Exchange/Outlook Web Access

    SpuffMonkey (nice name btw)!

    I did this for a school by installing a cisco pix 501 firewall at a school allowing only email related traffic through.

    The plus side of this was that I was able to utilise the firewalls VPN capabilites as well to allow key users to log into the firewall and RDP into a server. This allows me to remotely administer the server and for users to access SIMS via the VPN tunnel.

    If you need anymore info, let me know.

    Bubba.

  4. #4

    Join Date
    Aug 2005
    Location
    Birmingham, UK
    Posts
    490
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Securing Exchange/Outlook Web Access

    dont forget to get a cert and run ssl, passwords are sent in plain text by default(!)

  5. #5

    Join Date
    Jun 2005
    Location
    Elgin, Scotland
    Posts
    387
    Thank Post
    1
    Thanked 4 Times in 4 Posts
    Rep Power
    23

    Re: Securing Exchange/Outlook Web Access

    Definately one to check out would be MSExchange.org.

    I've found a hell of a lot of useful info there.

  6. #6
    Netman's Avatar
    Join Date
    Jul 2005
    Location
    56.343515, -2.804118
    Posts
    911
    Thank Post
    367
    Thanked 190 Times in 143 Posts
    Rep Power
    54

    Re: Securing Exchange/Outlook Web Access

    Absolutely RobC!
    http://www.msexchange.org/tutorials/...rtificate.html
    is an excellent article on setting up a free certificate from StartCom for OWA publishing - could be useful to you Spuffmonkey...

  7. #7
    tarquel's Avatar
    Join Date
    Jun 2005
    Location
    Powys, Mid-Wales, UK
    Posts
    1,740
    Thank Post
    13
    Thanked 44 Times in 34 Posts
    Rep Power
    29

    Re: Securing Exchange/Outlook Web Access

    Yep yep - i been looking at that for a while this morning [whilst helping the head with her emails, amongst other things].

    Did the SelfSSL guide and managed to get the non-windows authentication slightly sorted.

    Just need to hack the login.asp file to remove the domain part in the logging in fields [its on the msexchange.org article list somewhere - not got the links to hand sorry for direct info but its a great great place]

    Cheers
    Nath.

  8. #8

    Join Date
    Jul 2005
    Location
    Lancashire
    Posts
    30
    Thank Post
    1
    Thanked 4 Times in 3 Posts
    Rep Power
    19

    Re: Securing Exchange/Outlook Web Access

    The advice from MS is to set up exchange in a front end back end scenario (using server 2003 and exch 2003), having both on the internal network and securing with ISA 2004 in front if you wish with another firewall infront, ISA 2004 does everything you need to publish the FE/OWA server to the internet, it will also do application layer filtering to make sure the traffice is really OWA traffic and not an attack

    this way you only need to open 443 for internet traffice and 25 for SMTP

    if you have it in a DMZ you need to all ports on your back firewall for the exch FE server to talk to you BE boxes, GC servers, DC's etc


    you can setup your own Certificate Authourity (CA) on your Windows domain, if only your users are going to use the OWA site they should be able to trust your CA.



    this week i am mostly on an ISA course and just done the exch module

  9. #9
    tarquel's Avatar
    Join Date
    Jun 2005
    Location
    Powys, Mid-Wales, UK
    Posts
    1,740
    Thank Post
    13
    Thanked 44 Times in 34 Posts
    Rep Power
    29

    Re: Securing Exchange/Outlook Web Access

    oh to go on a course - you must be blessed chris hehe

    front end back end [i read about that while checking out various MS / msexchange.org guides] setup is indeed best - but cost dont allow it i'd wager. Doesnt with us anyhow lol

    P.S. Sorted the login.asp - along with a bit more customisation too

    Cheers
    N.

  10. #10

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36

    Re: Securing Exchange/Outlook Web Access

    SpuffMoney,

    Agree with most stuff with front end and back end exchage server setup but with this things do get slighly complicated so if you want to publich owa then on your firewall you need to open up port 443 (HTTPS) inbound. This will allow external users to reach your exchange server for outlook web acces.

    To allow your exchange server you need to have rule which allows 25 (SMTP) outbound to allow the mail server to send emails and also a rule of 25 SMTP inbound to recieve emails.

    You can do this in ISA Server 2004 quite easily. it also have a new OWA forms based authentication which authenticates the users at the ISA server before allowing access to the mail server, making it even more secure.

    One thing to remember with isa is that the traffic outbound will always go out on the primary IP address that is allocated to the external interface on isa.

    Few things to think about.

    MX records,
    A record in your domain
    public IP address for the mail server and owa

    HTH,

    Ashok.

SHARE:
+ Post New Thread

Similar Threads

  1. Outlook Web Access trial
    By amacken in forum Windows
    Replies: 15
    Last Post: 6th September 2008, 10:20 AM
  2. New users can't log in to Outlook Web Access
    By WithoutMotive in forum Windows
    Replies: 5
    Last Post: 7th September 2007, 11:17 AM
  3. Replies: 0
    Last Post: 20th February 2007, 09:42 PM
  4. Exchange Outlook Web Access
    By jrubinstein in forum Windows Vista
    Replies: 3
    Last Post: 12th February 2007, 10:47 PM
  5. Exchange 2003 - Outlook Mobile Access
    By ajbritton in forum Windows
    Replies: 7
    Last Post: 20th December 2006, 05:11 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •