Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] OWA Outlook Web Access in DMZ...need access to Active Directo

from no-need to-list [Permanent Link]
Subject: Re: [FW-1] OWA Outlook Web Access in DMZ...need access to Active Directory...
From: no-need to-list <ogos69 AT YAHOO DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Thu, 21 Dec 2006 07:05:02 -0800 
Thanks Ray and everyone who replied..
we have an MS ISA server that we currently using  to be Internet Explorer Proxy 
Server.
The reason is that we get a lot ganular reports on Internet usages, but that is 
another story.

I see this  solution is a lot cleaner instead of  deploying the Outlook Web 
Access in the DMZ,  we see no packets getting dropped from the Checkpoint FW or 
Smartdefense and still unable to get working.

We will try your suggest solution. I think we saw some writing about this 
solution from Microsoft and we will give a try.
Regards

----- Original Message ----
From: Ray <sixsigma44 AT HOTMAIL DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Sent: Tuesday, December 19, 2006 5:43:56 PM
Subject: Re: [FW-1] OWA Outlook Web Access in DMZ...need access to Active 
Directory...


The best way is to deploy Microsoft's ISA server as the front end. Its 
"publishing" rules and built-in OWA forms-based authentication makes for a 
very clean package. You actually install the SSL certificate in two places: 
On the internal Exchange server running OWA and on the EXTERNAL interface of 
the ISA server.

When an SSL connection comes in from the Internet, it's terminated on ISA's 
external interface. ISA checks all of the decrypted traffic to assure it 
conforms to Microsoft's specs (including checks for malformed traffic) and 
then sends it out the internal interface via SSL to the internal OWA server.

I've got ISA behind FW-1 and that's how we do it. FW-1 is blind to SSL 
traffic, which is why ISA's ability to perform SSL termination is such a 
good addition.

Ray


>From: Hugo van der Kooij <hvdkooij AT VANDERKOOIJ DOT ORG>
>Reply-To: Mailing list for discussion of Firewall-1              
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] OWA Outlook Web Access in DMZ...need access to Active 
>Directory...
>Date: Tue, 19 Dec 2006 11:12:14 +0100
>
>On Mon, 18 Dec 2006, no-need to-list wrote:
>
>>Hello Everyone...
>Has anyone deployed OWA  Outlook Web Access in DMZ ?,
>  it need access to MS active directory, no errors are reported from the FW 
>(r55-hfa18), but still is unable to talk to MS Active directory.
>What is the best way to deploy this?
>
>Frankly. I would (preferably) not deploy anything on a DMZ that needs to 
>setup connections to the inside without a clear protocol definition that 
>one can reliably verify. So this rules out any proprietary protocol like 
>microsoft rpc or oracle.
>
>In your case I would setup a front for OWA and put it in the DMZ and leave 
>OWA on your LAN.
>
>Hugo.
>
>--
>    hvdkooij AT vanderkooij DOT org    http://hvdkooij.xs4all.nl/
>        This message is using 100% recycled electrons.
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================

_________________________________________________________________
Dave vs. Carl: The Insignificant Championship Series.  Who will win? 
http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://davevscarl.spaces.live.com/?icid=T001MSN38C07001

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Nokia hard drive problem?, Bhavin Gandhi
Next by Date:  [FW-1] Problems with upgrade_import, Brooks, George CTR
Previous by Thread:  Re: [FW-1] OWA Outlook Web Access in DMZ...need access to Active Directory..., Ray
Next by Thread:  Re: [FW-1] OWA Outlook Web Access in DMZ...need access to Active Directory..., Ray
Indexes:  [Date] [Thread] [Top] [All Lists]