Hosting Provided By

RE: Website inside or outside domain

From: Brad Bemis <Brad.Bemis(at)airborne.com>
Date: Wed Feb 12 2003 - 18:53:11 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Microsoft's ISA Server has several features that are supposed to provide both security and flexibility for the type of scenario you describe... I have not played with it myself, but I did sit in on a class for it a few weeks back. I can't comment on the level of security provided, but it might be worth investigating. Of course, that all depends on how you feel about deploying a Microsoft firewall in your enterprise ;-)

Thank you for your time and attention,

Brad Bemis, CISSP, CISA, CBCP
Information Security Officer
Airborne Express

brad.bemis@airborne.com

Email Notice: This communication may contain sensitive information. If you are not the intended recipient, or believe that you have received this communication in error; do not print, copy, retransmit, disseminate, or otherwise use the information contained herein for any purpose. Please alert the sender that you have received this message in error, and delete the copy that you received.

-----Original Message----- From: KEITH KOOYMAN [mailto:pcsolutions101@hotmail.com] Sent: Wednesday, February 12, 2003 1:00 PM To: focus-ms@securityfocus.com Subject: RE: Website inside or outside domain

As I have followed this thread I have noticed that no one has addressed the similarities between this situation and OWA. Essentially, this is much the same scenario, where a public web server is in the DMZ and the question is: How do I allow access to the back-end Exchange Server?

You can:
1. Put a firewall between the DMX and the LAN (many firewalls have a preconfigured DMZ so a second firewall is not needed) and open up so many ports from the DMZ to the LAN that the firewall is useless = the official Microsoft solution
2. You can leave the front-end in the DMZ and use pass-through authentication which takes web traffic straight to your back-end = not desireable
3. Multi-home the front-end public web server, use TCP/IP filters, IPSEC and firewall rules to filter, authenticate and encrypt traffic going to the back-end; a good idea but time consuming and difficult to set up 4. Move the front-end public web server to the LAN = not desirable 5. Use a third party hybrid solution = expensive

Does anyone else have a take on this Exchange point of view on the public web server?

MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus

Do you need help?

-----BEGIN PGP SIGNATURE-----

Version: PGP Freeware, Ver 6.5.8CKT - Build 8
Comment: KeyID: 0xB8F26ADD
Comment: Fingerprint: 6E1C D617 CD65 A203 7FD5  4C68 90E7 39F4 B8F2 6ADD

iQA/AwUBPkreZ5DnOfS48mrdEQJoOACguOBNsSjmMqwpGONI3ctOiRuG/+UAoKO6 0NrTiL5GX0Q7H4ctUtm+p2hC
=QyFw
-----END PGP SIGNATURE-----
Received on Wed Feb 12 19:02:44 2003

This message: [ Message body ]
Next message: Tim Habex: "Windows 2000 Static arp not static"
Previous message: KEITH KOOYMAN: "RE: Website inside or outside domain"
Maybe in reply to: KEITH KOOYMAN: "RE: Website inside or outside domain"
In reply to Deus, Attonbitus: "RE: Any way to remove ADMIN$ only?"
Reply: D. Ian Miller: "Re: Website inside or outside domain"
Reply: Henry Sieff: "Ye Olde OWA Topic (Was RE: Website inside or outside domain)"
Reply: shannong: "RE: Ye Olde OWA Topic (Was RE: Website inside or outside domain)"
Reply: shannong: "RE: Website inside or outside domain"
Reply: Steve: "Re: Ye Olde OWA Topic (Was RE: Website inside or outside domain)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:26 EDT