Level of additional security attained with reverse proxy ISA/TMG for example
I was having a discussion with some other network admins and we were wondering to what degree a solution like ISA/TMG offers increased security for a Exchange environment, if you used it, for example, to publish OWA. First, I'm assuming Exchange 2007 or 2010. OK. For some, any direct access to internal servers from the Internet is a bad thing. Yet, there are probably thousands of SBS environments where Exchange is exposed to the outside world, albeit through port 443 (and perhaps 80) only. And as far as I know, the Edge Transport role can provide antivirus, antispam and some policy functions (address re-write) but does not act as a reverse proxy (correct?). So, let's imagine an environment where: 1) The only inbound access to the Hub Transport server is from your hosted email filtering company (MX Logic, Postini). 2) The only access to the CAS is on port 443. 3) The CAS server respects commonly recommended guidelines for security: updates regularly applied, default admin account disabled or protected with long and complex password, logs monitored for failed logon attempts, possible application of security templates, and I could go on... So on one hand we have that and on the other, we add a ISA/TMG reverse proxy allowing us, among other things, to publish OWA. What exactly are we gaining security-wise from the reverse-proxy? Someone asked: if it's just shuttled the packets over to the CAS, what are we gaining?
February 1st, 2011 6:12pm

I was having a discussion with some other network admins and we were wondering to what degree a solution like ISA/TMG offers increased security for a Exchange environment, if you used it, for example, to publish OWA. First, I'm assuming Exchange 2007 or 2010. OK. For some, any direct access to internal servers from the Internet is a bad thing. Correct. It is generally an accepted security best practice to secure trusted servers by placing internet user access into a DMZ. This layer of separation reduces overall exposure to your network. Exposure =Risk Yet, there are probably thousands of SBS environments where Exchange is exposed to the outside world, albeit through port 443 (and perhaps 80) only. There are indeed many environments that lack the knowledge or resources to properly secure their environment. By definition these are often small businesses, who buy small business server. SBS is not an inherently insecure product any more than another product. You can still publish with TMG for example, or secure your network in many other ways. And as far as I know, the Edge Transport role can provide antivirus, antispam and some policy functions (address re-write) but does not act as a reverse proxy (correct?). The Edge Transport “role” cannot reverse proxy. However you can install TMG on an edge server which allows you have a front end to all Exchange services So, let's imagine an environment where: 1) The only inbound access to the Hub Transport server is from your hosted email filtering company (MX Logic, Postini). 2) The only access to the CAS is on port 443. 3) The CAS server respects commonly recommended guidelines for security: updates regularly applied, default admin account disabled or protected with long and complex password, logs monitored for failed logon attempts, possible application of security templates, and I could go on... So on one hand we have that and on the other, we add a ISA/TMG reverse proxy allowing us, among other things, the publish OWA. What exactly are we gaining security-wise from the reverse-proxy? A reverse proxy adds security to a trusted web site by providing a layer of separation between users and trusted networks/systems. The same reason the Mona Lisa is behind bullet proof glass and you cannot touch it. Someone asked: if it's just shuttled the packets over to the CAS, what are we gaining? The CAS would only accept traffic from the DMZ, not the internet. Your questions suggest you could use some more information on DMZs in general, not Exchange specifically. · http://en.wikipedia.org/wiki/DMZ_(computing) · http://en.wikipedia.org/wiki/Reverse_proxy · Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010 Mike Crowley Check out My Blog!
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2011 9:11pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics