Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How to deploy Microsoft OWA without using ISA?

from [Thor (Hammer of God)] Network Security [Permanent Link]
Subject: Re: How to deploy Microsoft OWA without using ISA?
Date: Fri, 05 Jan 2007 10:40:07 -0800 
First off, let me say that ISA2006 is a fantastic product.  I recommend
taking a good, hard look at it - particularly if you are a heavy Cisco
shop...  But, more to the question.

OWA2007 offers many more features than previous versions, such as shared
folder mapping through OWA, etc.  My network admin (John Wilson) is
reviewing it, but we haven't deployed it in the DMZ yet.  But we will.

Note that the Exchange team has flipped flopped a few times on the front end
server being in the DMZ or not.  This latest stipulation may be because they
are not fully aware of what must happen for a DMZ installation to be
successful, or they may just think that full functionality (like drive
mapping via OWA) requires the box to be on the internal network.  Can you
tell us exactly WHY they say it "can't" be in the DMZ?  AFAIC, you can put
*anything* in the DMZ, but you might need to get creative to do so.  I may
be putting my foot in my mouth in regard to OWA2007, but I don't think so,
and I'm up to the challenge ;)

Regardless, ISA2006 can really come through for you- I've got my OWA2003 FE
server on a perimeter leg in our DMZ via ISA2006 and couldn't be happier.
Though the Exchange "port requirements" state that you've got to basically
allow everything through to your internal network, the fact is you don't.
My "least privilege" implementation works flawlessly with only DNS,
Kerberos-Sec (UDP), LDAP, LDAP-Global Catalog, and PING allowed only from
the perimeter FE box to the Internal DC's, and only HTTP from the FE to the
BE.  Now, if I want to actually manage mailboxes and such from the System
Manager on that box, or if I want to update Group Policy or such, then I
just enable my Allow rule for MIFS and RPC from the FE to the DC's, but turn
it off again afterwards.  This keeps the access list pretty tight.

Other options ISA offers that you might like is the ability to perform HTTP
content inspection with an SSL bridge. You terminate SSL from the client to
the ISA listener, and build it back with an SSL bridge so that ISA can
inspect the traffic.  Big bonus.

I cover precisely this type of configuration in my "ISA Ninjitsu" training
being offered at RSA next month, and at the Blackhat Federal show, so if you
are interested in how to build kickass DMZ firewall configs with ISA, I
suggest you send a team out to the training-- Cisco guys always learn a lot
;)  (I used to be a die-hard Cisco guy myself, so I know how to talk to them
:^)

And AFA an alternative goes, you can use the simple router tricks of your
PIX to packet forward to your OWA instance on the Exchange box, but I'd
rather sandpaper a bobcat's ass in a telephone boot than do that. ISA really
is the way to go...

Just my buck-o-five...

t

Support ' or 1=1 --
and help secure SQL installations while ending Intelligence Terror!
Visit http://www.apostropheOr1equals1dashdash.com to find out how.



********* RSA Training! *********
If you've got any interest in hard-core firewall/DMZ configuraitons,
Then check out Thor's "Hammer of God" Training at RSA 2007!
ISA Ninjitsu: Designing, Building, and Maintaining Enterprise Firewall and
DMZ Topologies with Microsoft ISA Server

https://cm.rsaconference.com/US07/catalog//profile.do?SESSION_ID=2434&form=s
earchform&ts=1167885409370

--
Join RABI- Republican's Against Bush's Ignorance
Read THAT mail, dude.
--


On 1/4/07 1:40 PM, "Randy Hall" <randy.hall@pilotonline.com> spoketh to all:


We have been using OWA2000 for a few years now.  The front end server sits in
a DMZ and communicates to the backend server with a very painfully developed
access list.  In addition, you need two factor authentication to even get to
the login screen.

I recently attended a Microsoft presentation of the new architecture of
Outlook 2007.  The one thing that stuck out to me was that you can no longer
put the front end server in a DMZ.  It has to be on the internal network.  The
recommended way to publish OWA is ISA2006.

I don't currently have ISA2006 anywhere in my network and we are a very heavy
Cisco shop.  What options do I have for publishing OWA?  Purchasing ISA2006
for this one application seems a bit overkill.

Any help or guidance would be appreciated.  Google turns up lots of hits for
doing this with ISA but doesn't give any alternative.

Randy Hall - Sr. Security Engineer - CISSP 
The Virginian Pilot - (757) 446-2754
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Share and NTFS permissions, Monrad . DC
Next by Date:  RE: How to deploy Microsoft OWA without using ISA?, Thomas W Shinder
Previous by Thread:  RE: How to deploy Microsoft OWA without using ISA?, Wayne S. Anderson
Next by Thread:  RE: How to deploy Microsoft OWA without using ISA?, Thomas W Shinder
Indexes:  [Date] [Thread] [Top] [All Lists]