Use traditional security methods.
Check out http://technet.microsoft.com/en-us/library/bb124597.aspx
Essentially use either smartcards in conjunction with EAP-TLS and properly
configured firewalls, et al. It is true that the new roles based setup does
remove the ability to have OWA directly in the DMZ itself, however the new
roles architecture provides substantially more flexibility than the
front-end/back-end architecture of 2003. It is true that an OWA deployment
outside of ISA2006 is a bit more complicated to properly address security
concerns however there are alternative means to authenticate users and
protect the OWA instance.
Another thing to think about -- does your enterprise still need the full
blown OWA installation? Remember that the Exchange ActiveSync capabilities
inherent in the Client Access Server role can take care of some of your
mobile user needs, and if you architect your environment correctly (VPNs -
possibly including SSL based VPN) you can take care of many remote access
needs by configuring native outlook clients to use tunneled RPC connections
to connect to the exchange infrastructure mailbox servers. For some
organizations, this near-alleviates the need to provide OWA accessibility
depending on the environment.
Hopefully the attached image (courtesy of Microsoft) will help clarify the
various role relationships and spur some ideas about how to secure an
Exchange 2007 OWA install. Obviously without deeper information into how
your particular instance is constructed, it is difficult to provide more
accurate strategies on securing 2007 for your enterprise.
Hope this helps.
--------------------------------------
Wayne S. Anderson
"An sufficiently developed bug is indistinguisable from a feature."
http://www.linkedin.com/in/wayneanderson
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Randy Hall
Sent: Thursday, January 04, 2007 2:41 PM
To: Focus-MS
Subject: How to deploy Microsoft OWA without using ISA?
We have been using OWA2000 for a few years now. The front end server sits
in a DMZ and communicates to the backend server with a very painfully
developed access list. In addition, you need two factor authentication to
even get to the login screen.
I recently attended a Microsoft presentation of the new architecture of
Outlook 2007. The one thing that stuck out to me was that you can no longer
put the front end server in a DMZ. It has to be on the internal network.
The recommended way to publish OWA is ISA2006.
I don't currently have ISA2006 anywhere in my network and we are a very
heavy Cisco shop. What options do I have for publishing OWA? Purchasing
ISA2006 for this one application seems a bit overkill.
Any help or guidance would be appreciated. Google turns up lots of hits for
doing this with ISA but doesn't give any alternative.
Randy Hall - Sr. Security Engineer - CISSP
The Virginian Pilot - (757) 446-2754
Exchange_2007.gif
Description: GIF image
