Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: How to deploy Microsoft OWA without using ISA?

from [Jim Harrison] Network Security [Permanent Link]
Subject: RE: How to deploy Microsoft OWA without using ISA?
Date: Fri, 5 Jan 2007 09:02:53 -0800 
<disclaimer>
No; I don't work for ISA marketing... :-p
</disclaimer>

Actually, ISA provides much more than "just OWA publishing".
The Exch team took the position that with ISA (and the coming ForeFront
technologies) in the mix, there was little gain and much risk in placing
the FE (CAS in Exch 2007 parlance) anywhere but in the LAN.

Being a Cisco-heavy shop doesn't obviate ISA deployment (although I do
understand your position).  In fact, many folks place ISA in the DMZ to
absorb the auth- and app-layer attacks and leave their app server safely
behind it.  Unless you're looking to create a hugely distributed
deployment, a single ISA (Std Edition) can probably serve your needs
quite well.  With ISA handling auth (via RADIUS if your shop is also
MS-paranoid), the CAS server only ever sees auth-validated traffic.
To make it neater, sweeter and more peteeter, ISA 2006 can use KCD to
further strengthen your auth position.
http://www.microsoft.com/technet/isa/2006/authentication.mspx should
help you get a handle on the kewlnesses that ISA 2006 brings to the Exch
2007 arena.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Randy Hall
Sent: Thursday, January 04, 2007 1:41 PM
To: Focus-MS
Subject: How to deploy Microsoft OWA without using ISA?

We have been using OWA2000 for a few years now.  The front end server
sits in a DMZ and communicates to the backend server with a very
painfully developed access list.  In addition, you need two factor
authentication to even get to the login screen.

I recently attended a Microsoft presentation of the new architecture of
Outlook 2007.  The one thing that stuck out to me was that you can no
longer put the front end server in a DMZ.  It has to be on the internal
network.  The recommended way to publish OWA is ISA2006.

I don't currently have ISA2006 anywhere in my network and we are a very
heavy Cisco shop.  What options do I have for publishing OWA?
Purchasing ISA2006 for this one application seems a bit overkill.

Any help or guidance would be appreciated.  Google turns up lots of hits
for doing this with ISA but doesn't give any alternative.

Randy Hall - Sr. Security Engineer - CISSP The Virginian Pilot - (757)
446-2754



All mail to and from this domain is GFI-scanned.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Secure Remote access - windows 2003, Jim Harrison
Next by Date:  RE: Secure Remote access - windows 2003, Jim Harrison
Previous by Thread:  How to deploy Microsoft OWA without using ISA?, Randy Hall
Next by Thread:  Re: How to deploy Microsoft OWA without using ISA?, Andy Ashley
Indexes:  [Date] [Thread] [Top] [All Lists]