OWA forwarded to another IIS box?

OWA forwarded to another IIS box?

Post by Todd » Sat, 15 Jun 2002 03:27:18



I would like to give my employees access to OWA but do not want my E2K box
directly accessible to the Internet.  I have an IIS box in my DMZ that I was
hoping to use as the portal from which I could have users access OWA
through.

Is this even possible or must the E2K box have a direct connection as well?

TIA,

Todd

 
 
 

OWA forwarded to another IIS box?

Post by Ed Woodric » Sat, 15 Jun 2002 04:03:58


Just create a hole for SSL to go through. Either that or let the users come
in on VPN. A member server in the DMZ opens up way too many holes.


Quote:> I would like to give my employees access to OWA but do not want my E2K box
> directly accessible to the Internet.  I have an IIS box in my DMZ that I
was
> hoping to use as the portal from which I could have users access OWA
> through.

> Is this even possible or must the E2K box have a direct connection as
well?

> TIA,

> Todd


 
 
 

OWA forwarded to another IIS box?

Post by Scott Low » Sat, 15 Jun 2002 11:47:11


Todd, there's a lot of different ways you can go about this.  I don't think
you can use any form of redirect from another IIS server; even if you could,
it doesn't offer any protection because it simply redirects the client from
the IIS server on the DMZ to your E2K box, and clients are still hitting
your E2K box directly.

To completely isolate your E2K box, you need a web proxy, such as Microsoft
ISA Server 2000.  This can take your inbound web requests and proxy them on
to the E2K server, returning the response back to the client.  You can also
run a front-end E2K server, which performs some of the same function.
Finally, you can use SSL only and not straight HTTP, which will prevent a
lot of the common hacks from getting through.  Of course, you can also use
any combination of these methods as well.  I'd also recommend using URLScan
on your E2K server, to add another form of protection at Layer 7.

HTH,
Scott Lowe
Mercurion Systems, Inc.


Quote:> I would like to give my employees access to OWA but do not want my E2K box
> directly accessible to the Internet.  I have an IIS box in my DMZ that I
was
> hoping to use as the portal from which I could have users access OWA
> through.

> Is this even possible or must the E2K box have a direct connection as
well?

> TIA,

> Todd

 
 
 

OWA forwarded to another IIS box?

Post by Todd » Sun, 16 Jun 2002 06:27:12


Scott,

Many thanks for the options.  Could you point me somewhere that I could look
to configure users to use SSL to access my OWA page instead of http: ?

Thanks,

Todd


> Todd, there's a lot of different ways you can go about this.  I don't
think
> you can use any form of redirect from another IIS server; even if you
could,
> it doesn't offer any protection because it simply redirects the client
from
> the IIS server on the DMZ to your E2K box, and clients are still hitting
> your E2K box directly.

> To completely isolate your E2K box, you need a web proxy, such as
Microsoft
> ISA Server 2000.  This can take your inbound web requests and proxy them
on
> to the E2K server, returning the response back to the client.  You can
also
> run a front-end E2K server, which performs some of the same function.
> Finally, you can use SSL only and not straight HTTP, which will prevent a
> lot of the common hacks from getting through.  Of course, you can also use
> any combination of these methods as well.  I'd also recommend using
URLScan
> on your E2K server, to add another form of protection at Layer 7.

> HTH,
> Scott Lowe
> Mercurion Systems, Inc.



> > I would like to give my employees access to OWA but do not want my E2K
box
> > directly accessible to the Internet.  I have an IIS box in my DMZ that I
> was
> > hoping to use as the portal from which I could have users access OWA
> > through.

> > Is this even possible or must the E2K box have a direct connection as
> well?

> > TIA,

> > Todd

 
 
 

OWA forwarded to another IIS box?

Post by Scott Low » Tue, 18 Jun 2002 09:56:38


Try this article from the Knowledge Base:

http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q320291

Watch out for a potential wrap in that URL.

HTH,
Scott Lowe
Mercurion Systems, Inc.


> Scott,

> Many thanks for the options.  Could you point me somewhere that I could
look
> to configure users to use SSL to access my OWA page instead of http: ?

> Thanks,

> Todd



> > Todd, there's a lot of different ways you can go about this.  I don't
> think
> > you can use any form of redirect from another IIS server; even if you
> could,
> > it doesn't offer any protection because it simply redirects the client
> from
> > the IIS server on the DMZ to your E2K box, and clients are still hitting
> > your E2K box directly.

> > To completely isolate your E2K box, you need a web proxy, such as
> Microsoft
> > ISA Server 2000.  This can take your inbound web requests and proxy them
> on
> > to the E2K server, returning the response back to the client.  You can
> also
> > run a front-end E2K server, which performs some of the same function.
> > Finally, you can use SSL only and not straight HTTP, which will prevent
a
> > lot of the common hacks from getting through.  Of course, you can also
use
> > any combination of these methods as well.  I'd also recommend using
> URLScan
> > on your E2K server, to add another form of protection at Layer 7.

> > HTH,
> > Scott Lowe
> > Mercurion Systems, Inc.



> > > I would like to give my employees access to OWA but do not want my E2K
> box
> > > directly accessible to the Internet.  I have an IIS box in my DMZ that
I
> > was
> > > hoping to use as the portal from which I could have users access OWA
> > > through.

> > > Is this even possible or must the E2K box have a direct connection as
> > well?

> > > TIA,

> > > Todd

 
 
 

1. OWA IIS on Exchange box but web server is on other box

Hello,
I've got OWA setup on an exchange server (EXC1), running IIS and i also have an IIS server hosting sites on the internet (WEB1) also running on
the local network.

. The problem I have is that I want to create an internet site that has access to OWA on EXC1,  from the internet.  How can I do this?  I need OWA to be on EXC1 because I need NTLM.  Do I need to move the virtual directory?    

Any help would be greatly appreciated .

Thanks,
        Haig

2. Forward custom recipients in one single user account

3. IIS points to OWA on other box as default page

4. Quoted Printable vs. Base64

5. Ex2K/OWA on one box - Win2k/IIS on another

6. imap

7. Forwarding bounced mail to another mail box without forwarding

8. Remote Access

9. IIS Webcast Series: In's and Out's of Authentication in IIS (OWA)

10. IIS 4.0 and OWA on Exchange 5.5 reverts to IIS 2.0

11. OWA Stability: IIS 3 or IIS 4

12. Exchange and IIS on different boxes

13. IIS has to be on same box?