Option #1 would have to be the worst option for security, all you have
to do is re-read Ben Nagy's response and think about it for a few more
minutes. When you place the OWA server directly into your internal
network without controls, you have no controls unless of course you
truely believe that a Microsoft product is not considered a "Hackable
device" and in this case we are talking about two Microsoft products -
ISA Proxy Server and OWA.....
[spaghetti] --> [hackable box] --> [hackable box] --> [pot of gold]

Option #2 is the better solution since there is atleast on additional
contol added in the diagram.

-----Original Message-----
Subject: Re: [fw-wiz] PIX -> ISA -> OWA Configuration

Definitely. In #1, if the ISA server is configured via the OWA publishing
wizard, it will create ACL's that prevent requests that don't match
/exchange/* from being passed to IIS. You can also run urlscan at the ISA
server (though it requires some tweaking to keep from breaking some of OWA's

In #2, the same thing applies, but should the ISA server be compromised say
via buffer overflow, then there is no protection for the internal AD domain,
since those holes must be punched straight through the firewall (and they
are BIG holes).


-----Original Message-----
Subject: Re: [fw-wiz] PIX -> ISA -> OWA Configuration

Definitely? Under #1 it seems like something as simple as a directory
traversal attack against IIS/OWA that manages to get through ISA leaves your
entire internal network exposed. Under #2 it appears to me that an attacker
would need at the very least a second exploit to gain further access to the
trusted network.

> -----Original Message-----
> What is the preferred placement for a OWA front-end server given these
> two possible network configurations and why?
> 1) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [PIX Firewall]
> <==> [OWA] <==> [Internal Net w/Exchange Svr]
> 2) [Internet] <==> [PIX Firewall] <==> [ISA Proxy] <==> [OWA] <==>
> [PIX Firewall] <==> [Internal Net w/Exchange Svr]

firewall-wizards mailing list