Re: [FW-1] OWA Outlook Web Access in DMZ...need access to Active Directory...

[Ray [Permanent Link]]

The best way is to deploy Microsoft's ISA server as the front end. Its 
"publishing" rules and built-in OWA forms-based authentication makes for a 
very clean package. You actually install the SSL certificate in two places: 
On the internal Exchange server running OWA and on the EXTERNAL interface of 
the ISA server.
When an SSL connection comes in from the Internet, it's terminated on ISA's 
external interface. ISA checks all of the decrypted traffic to assure it 
conforms to Microsoft's specs (including checks for malformed traffic) and 
then sends it out the internal interface via SSL to the internal OWA server.
I've got ISA behind FW-1 and that's how we do it. FW-1 is blind to SSL 
traffic, which is why ISA's ability to perform SSL termination is such a 
good addition.
Ray


> From: Hugo van der Kooij <hvdkooij AT VANDERKOOIJ DOT ORG>
> Reply-To: Mailing list for discussion of Firewall-1              
> <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] OWA Outlook Web Access in DMZ...need access to Active 
> Directory...
> Date: Tue, 19 Dec 2006 11:12:14 +0100
>
> On Mon, 18 Dec 2006, no-need to-list wrote:
>
> > Hello Everyone...
> Has anyone deployed OWA  Outlook Web Access in DMZ ?,
>  it need access to MS active directory, no errors are reported from the FW 
> (r55-hfa18), but still is unable to talk to MS Active directory.
> What is the best way to deploy this?
>
> Frankly. I would (preferably) not deploy anything on a DMZ that needs to 
> setup connections to the inside without a clear protocol definition that 
> one can reliably verify. So this rules out any proprietary protocol like 
> microsoft rpc or oracle.
> In your case I would setup a front for OWA and put it in the DMZ and leave 
> OWA on your LAN.
> Hugo.
>
> --
>         hvdkooij AT vanderkooij DOT org http://hvdkooij.xs4all.nl/
>             This message is using 100% recycled electrons.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
_________________________________________________________________
Dave vs. Carl: The Insignificant Championship Series.  Who will win? 
http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://davevscarl.spaces.live.com/?icid=T001MSN38C07001
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================