Results 1 to 10 of 10
  1. #1
    Untanglit
    Join Date
    May 2011
    Posts
    28

    Default Publish OWA with UT authentication?

    Pretty much the only thing I like about Forefront TMG that UT doesn't have is a way to authenticate to the firewall itself, which is then passed to OWA automatically. This way, you are not automatically forwarded directly to the Exchange (or OWA role) server.

    Is there a way to do this with UT? The captive portal sounds like it might be the way, but none of the documentation seems to back me up on this.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,389

    Default

    OWA has its own web based authentication, once you stuff in an SSL cert what else do you want?

    There is no security benefit to reverse proxy authentication to OWA. Let IIS do it's job. If you're that worried about your exchange implementation, break out the client access role to a separate server.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untanglit
    Join Date
    May 2011
    Posts
    28

    Default

    That is a very interesting take on the subject - pretty much the exact opposite of what MS will tell you.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,389

    Default

    No, it's a sales gimmick for the forefront firewall. Why does Exchange have the ability to separate roles?

    Service security should be handled by the service. Reverse proxies only inject an extra point of failure. Especially when you're dealing with an Ajax enabled service! Like OWA 2010.

    Technically speaking, the apache implementation in untangle can do this. But Untangle doesn't support it.

    If you want to implement reverse proxy control for your public web services, I suggest you look into some dedicated products that perform that function. You'll get better support, and a better set of tools to work with.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untanglit
    Join Date
    May 2011
    Posts
    28

    Default

    OWA is literally our only public web service, but can you recommend some products to look at? I'm pretty green in this area, admittedly.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,389

    Default

    I've always done this with Apache, but I know current IIS implementations can do it too. There are load balancers out there that do similar things.

    My next question is why? All of my exchange deployments are single server with TCP 443 forwarded to the local IIS installation. If you don't trust stuff landing on that service, then don't forward the port. Make your users VPN in and access from there.

    I assume that server is also operating a publicly exposed SMTP service? Otherwise how are you getting your mail?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untanglit
    Join Date
    May 2011
    Posts
    28

    Default

    SMTP is received through an offsite Barracuda appliance, so it is not publicly open in the sense that security is our responsibility.

    I did a bit more research on reverse proxies, and the only advantage I *might* see with TMG is that it could inspect SSL packets - I *think*. I know it can in a regular proxy scenario, but I'm not sure about reverse proxy.

    However, in our environment less than 2% of traffic is listed as SSL (according to TMG reporting), so I haven't bothered. But, with OWA, 100% would be SSL - so maybe it's worth the effort there?

    I feel like I may be overthinking this, as I hear/read quite often that 443 is simply forwarded - not even with the CAS role in a separate DMZ. I mean, ISA/TMG has what, a 2% market share as an edge device? There isn't worldwide OWA havoc as far I can tell.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,389

    Default

    Exactly, also when you're dealing with an SSL proxy situation you have to purchase and maintain two separate SSL certificates. One for the IIS installation on the Exchange server, as well as the proxy. The proxy terminates the customer's end of the transaction, decrypts the packets, it can then inspect them, then it makes a new SSL connection to the internal web service and proxies the connection.

    These types of things are very commonly used for load balancers to manage a large volume of SSL traffic to multiple servers. But in your case, that is just an extra certificate, extra cost, and extra things to break.

    Nothing in Untangle inspects SSL traffic. We have some content filtration that can work on the IP, and host name in certain rare cases, but for the most part that traffic just goes from client to server unimpeded.

    I'm not aware of any UTMs that do anything meaningful in that specific vector either.

    Your OWA is perfectly safe being public, so long as you're maintaining a current version of Exchange, on a current version of Windows Server, with both products patched regularly.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Master Untangler
    Join Date
    Aug 2008
    Location
    Brazil (Sao Paulo)
    Posts
    483

    Default

    Why so many concepts, by the end of the day, needs just a Name/Password to get in.
    Agree with Sky-night, forward port 443 to Exchange, work very well.

    Im also an Exchange 2007 behind UT, 3 years, no issues or incidents.

  10. #10
    Untanglit
    Join Date
    May 2011
    Posts
    28

    Default

    Thanks to both of you for your input! I'm still grappling with the lost investment in TMG that would take place if we move to another solution (most likely untangle), but the hassle it's put me through, time-wise, would have easily paid for another solution by now.

    I guess I have my answer right there!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2