From a reader at a major whiskey maker (really!):
I purchased Secure Messaging with Microsoft Exchange Server 2000 at a Microsoft Windows 2003 conference in Cincinnati. The reason I purchased this book was for Chapter 14 Securing Outlook Web Access. I had been explaining to my boss that the traditional way of implementing Exchange 2000 (OWA) on a DMZ was not as secure as I would like, since you have to open several ports from the DMZ to the internal network. After explaining what I had found in your book and researching information on Microsoft’s website and others I convinced him and our corporate office this was the way to go. In June I implement your solution of Publishing OWA with ISA Server to secure our OWA server. This September we were audited by our internal auditors and they are telling us this is not as secure as the traditional way of placing Exchange 2000 (OWA) server on the DMZ. They could not give us a reason way, so I want to challenge them that this is more secure before I am force to change to the traditional way. I need information stating this method of securing Exchange OWA is more secure.
Tell your auditors to get off the glue. When you put an Exchange server of any stripe in the DMZ, you’ve created two problems. First, you’re putting a domain member in the DMZ, and if someone compromises it they may have a springboard to compromise other machines inside the perimeter. Second, to make Exchange work you’ve got to open a ton of ports. DMZ configurations can be made secure, but the whole point behind ISA is that it gives you strong security by reverse proxying so you don’t have to open anything in the DMZ.
Paul's Down-Home Page 