You should have them place an OWA server in the DMZ and use IPSec policies
between the OWA front end server and the backend exchange servers on the
internal network. That way you only have to open 2(or 3) ports for ipsec
between the servers from internal to dmz. It limits the exposure as you only
need to open 443 and 80 to the server from the Internet. If they are trying to
have users access directly to the Exchange servers from a remote site or the
Internet I would get the exact IPs and open only to the defined IP range or
make them use a VPN. If they are asking to open to the Exchange server directly
from the Internet I would get them to sign off on this with something that
spells out the risk of indiscriminately opening up MS ports to the entire
Internet.
Jason
>>> "Wiedemann, Adrian" <Adrian.Wiedemann@rz.uni-karlsruhe.de> 04/11/07 3:52 AM
>>> >>>
Hi,
> to forward ports on the PIX from the Internet to internal servers. I
> have
> explained that port forwarding is very risky but they don't seem to
> understand. Are there any publications that can be used to show the
It boils down to the Exchange-Server setup. If he is using a
frontend-backend Exchange configuration and requests port 443 to be
forwarded, I see no inherent security concerns about this. In general, I see
no security implications about forwarding ports. I just depends on the
servers, on which these ports are forwarded to.
Regards, Adrian
Ret
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
|