Hi all, I´ve just landed in an ongoing Exchange server 2007 implementation project and the first thing I´ve noticed is the use of a reverse proxy to the client interface, OWA. It sounded a little strange for me, since the server providing the OWA is in the internal network, but after digging a little bit for infos, i´ve found that it is more or less the accepted best practice. So, to make things clear: We have the first FW layer with the corresponding ports to the reverse proxy open; then we have another FW layer permitting this reverse proxy to access the corresponding ports at our OWA server. Or "graphically": { internet } ---- | FW |---(reverse proxy) --- | FW |--- {internal net - (OWA) } Now my question: Since this reverse proxy (not an ISA) is just reverse proxying the requests to the internal server, it is in my opinion a considerable risk. If we recall old(?) vulnerabilities like the unicode translation bug, in which it was possible to issue commands just using HTTP GET requests, that would put our internal server back in the front layer. I mean, it would be in other words, facing the internet (I know, it is a little exagerated). What do you think about it? Am I mistaken in some assumptions, or am I too paranoic? If you agree with me, what would be better solution? (my fisrt tought was to put the client interface in the DMZ ... at least, if it is compromised, one would have to bypass another layer, or another server for that matter). I´ve read something about an Edge role in exchange 2010 too ... Thank you!

It's no more of a risk than having any access to the Internet and the word 'considerable' is way, way out. Yes, you are being paranoid. No, you cannot put your 2007 box into the DMZ. That's not a supported configuration and if you think you're at risk now just wait until you see what you have to open if you tried to put the CAS in the DMZ. All you're doing is exposing 443 from the Internet to that box and OWA only responds to specific strings so it's very very difficult to break. The Edge has got nothing to do with the client access. If you are so concerned about this you will want to deploy TMG rather than whatever you have in place at the moment. "Marcelo_O" wrote in message news:28967444-2091-4966-a475-44f219aed32f... Hi all, Ive just landed in an ongoing Exchange server 2007 implementation project and the first thing Ive noticed is the use of a reverse proxy to the client interface, OWA. It sounded a little strange for me, since the server providing the OWA is in the internal network, but after digging a little bit for infos, ive found that it is more or less the accepted best practice. So, to make things clear: We have the first FW layer with the corresponding ports to the reverse proxy open; then we have another FW layer permitting this reverse proxy to access the corresponding ports at our OWA server. Or "graphically": { internet } ---- | FW |---(reverse proxy) --- | FW |--- {internal net - (OWA) } Now my question: Since this reverse proxy (not an ISA) is just reverse proxying the requests to the internal server, it is in my opinion a considerable risk. If we recall old(?) vulnerabilities like the unicode translation bug, in which it was possible to issue commands just using HTTP GET requests, that would put our internal server back in the front layer. I mean, it would be in other words, facing the internet (I know, it is a little exagerated). What do you think about it? Am I mistaken in some assumptions, or am I too paranoic? If you agree with me, what would be better solution? (my fisrt tought was to put the client interface in the DMZ ... at least, if it is compromised, one would have to bypass another layer, or another server for that matter). Ive read something about an Edge role in exchange 2010 too ... Thank you! Mark Arnold, Exchange MVP.

And on top of that you can run SCW Don't "overdo" the security, then you will have other problems, like managing it etc.Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog

Yes, don't overdo. I had a call with a customer today who had tied themselves so far up in knots that a service account for an application couldn't make it to where %temp% was residing. The security on the box was a spaghetti dish and the two people paid to manage the box and the app on the box were not fully familiar with what the security guy had done. So they undid it all. Thus the security guy was ultimately responsible for a security problem rather than being the guy keeping things safe. #epic #fail. "Jonas Andersson [MCITP]" wrote in message news:2d2a3f1e-995e-427b-9dfb-07a636374063... And on top of that you can run SCW Don't "overdo" the security, then you will have other problems, like managing it etc. Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blogMark Arnold, Exchange MVP.