| Author |
Message |
Erick Perez - Panama
Guest
|
 Posted:
Tue Dec 13, 2005 1:58 am Post subject:
Exchange 5.5 OWA Setup in DMZ |
|
|
Hi there,
We want to setup OWA access to our Exchange 5.5 Machine. The OWA client will
be installed in the DMZ web server that already has an SSL certificate.
Questions:
Our network is like this
Internet---PIX(dmz port)----DMZ
Internet---PIX(lan port)------LAN
1- Can I reuse the SSL certificate with my OWA?
2- My web server IS NOT part of any domain, servermax.exe complains about
the machine not being a memeber of a domain. Why do i have to make it part of
a domain?
3- I have ISA2004 lying around, will it be best to setup an ISA 2004 in the
DMZ and install OWA at the exchange server and then use ISA to publish OWA?
(sorry on this but due to company policies we cannot bypass the PIX)?
Thanks,
3- I have ISA2004 at hand
|
|
| Back to top |
|
 |
Mark Arnold [MVP]
Guest
|
| Posted:
Tue Dec 13, 2005 1:58 am Post subject:
Re: Exchange 5.5 OWA Setup in DMZ |
|
|
On Mon, 12 Dec 2005 12:16:03 -0800, "Erick Perez - Panama"
<ErickPerezPanama@discussions.microsoft.com> wrote:
| Quote: | Hi there,
We want to setup OWA access to our Exchange 5.5 Machine. The OWA client will
be installed in the DMZ web server that already has an SSL certificate.
Questions:
Our network is like this
Internet---PIX(dmz port)----DMZ
Internet---PIX(lan port)------LAN
1- Can I reuse the SSL certificate with my OWA?
2- My web server IS NOT part of any domain, servermax.exe complains about
the machine not being a memeber of a domain. Why do i have to make it part of
a domain?
3- I have ISA2004 lying around, will it be best to setup an ISA 2004 in the
DMZ and install OWA at the exchange server and then use ISA to publish OWA?
(sorry on this but due to company policies we cannot bypass the PIX)?
Thanks,
3- I have ISA2004 at hand
|
Use ISA and publish the OWA through that.
You really don't want to open all your RPC ports from the DMZ to the
internal network, it's asking for a configuration nightmare. |
|
| Back to top |
|
|
Erick Perez - Panama
Guest
|
| Posted:
Tue Dec 13, 2005 1:58 am Post subject:
Re: Exchange 5.5 OWA Setup in DMZ |
|
|
Ok,
The setup is like this:
Internet----PIX(dmz port)---ISA_2000---LAN
(sorry its a isa 2000 not isa 2004)
I installed OWA in a spare server inside the LAN.
I tested OWA access using a web browser from the LAN. Everything works fine.
My web server is in the DMZ in a host(let call it HOSTA) that is controlled
by the PIX and not the ISA. We are using our ISA(lets call it HOSTB) as a
Proxy and we have no publishing rules with it, except for proxy/web browsing.
Now,
I created a destination set with the values
name/ip range = *
path = /exchange/*
then a web publishing rule that redirects to http port 81.
is the destination set ok? or do i have to put some ip? which one? the ISA
dmz ip? or the web server public ip and then make a redirect to my isa?
"Mark Arnold [MVP]" wrote:
| Quote: | On Mon, 12 Dec 2005 12:16:03 -0800, "Erick Perez - Panama"
ErickPerezPanama@discussions.microsoft.com> wrote:
Hi there,
We want to setup OWA access to our Exchange 5.5 Machine. The OWA client will
be installed in the DMZ web server that already has an SSL certificate.
Questions:
Our network is like this
Internet---PIX(dmz port)----DMZ
Internet---PIX(lan port)------LAN
1- Can I reuse the SSL certificate with my OWA?
2- My web server IS NOT part of any domain, servermax.exe complains about
the machine not being a memeber of a domain. Why do i have to make it part of
a domain?
3- I have ISA2004 lying around, will it be best to setup an ISA 2004 in the
DMZ and install OWA at the exchange server and then use ISA to publish OWA?
(sorry on this but due to company policies we cannot bypass the PIX)?
Thanks,
3- I have ISA2004 at hand
Use ISA and publish the OWA through that.
You really don't want to open all your RPC ports from the DMZ to the
internal network, it's asking for a configuration nightmare.
|
|
|
| Back to top |
|
|
Mark Arnold [MVP]
Guest
|
| Posted:
Tue Dec 13, 2005 9:58 am Post subject:
Re: Exchange 5.5 OWA Setup in DMZ |
|
|
On Mon, 12 Dec 2005 16:36:01 -0800, "Erick Perez - Panama"
<ErickPerezPanama@discussions.microsoft.com> wrote:
| Quote: | Ok,
The setup is like this:
Internet----PIX(dmz port)---ISA_2000---LAN
(sorry its a isa 2000 not isa 2004)
|
Fine, whatever.
| Quote: | I installed OWA in a spare server inside the LAN.
I tested OWA access using a web browser from the LAN. Everything works fine.
My web server is in the DMZ in a host(let call it HOSTA) that is controlled
by the PIX and not the ISA. We are using our ISA(lets call it HOSTB) as a
Proxy and we have no publishing rules with it, except for proxy/web browsing.
Now,
I created a destination set with the values
name/ip range = *
path = /exchange/*
then a web publishing rule that redirects to http port 81.
is the destination set ok? or do i have to put some ip? which one? the ISA
dmz ip? or the web server public ip and then make a redirect to my isa?
|
The external IP doesn't matter so long as the OWA FQDN you use on the
outside actually matches! The Internal IP is obviously the Exchange
Server so as long as the rules meet in the middle then you'll be ok.
Any reason 81 rather than securing the channel with SSL, or are you
just setting up and testing at this stage? |
|
| Back to top |
|
|
Erick Perez - Panama
Guest
|
| Posted:
Tue Dec 13, 2005 5:58 pm Post subject:
Re: Exchange 5.5 OWA Setup in DMZ |
|
|
Ok, the following setup is tested and working:
a- OWA Server 10.0.x.x in the LAN connecting to Exchange Server 10.0.x.x in
the LAN
b- ISA Server Publishing the OWA Server to the DMZ. ISA Server is at
192.168.100.8:8084 in the DMZ, so when you hit the ISA from the DMZ with the
URL http://192.168.100.8:8084/exchange/ , the OWA loads fine.
c- My Web Server with DMZ address 192.168.100.3, that serves our public
company page, has a redirect URL. Our Cisco PIX publish our Web server with
rule address 207.x.x.x:80 <----> 192.168.100.3:80.
d- As a test, we set up the IIS in the web server to do an internal redirect
at port 81, and create a PIX rule for that. If something hits our DMZ IIS at
port 81, the IIS will redirect the URL to the ISA:8084 address.
Doing this from computers in the DMZ works ok.
So,
DMZ computer<-->WEBDMZ:81<-->ISADMZ:8084<-->OWALAN<-->EXCHANGELAN
Works.
But doing this from the internet does not work. I guess it's because when
the redirect URL goes into effect the ISADMZ wants to answer directly to the
client, and I dont want that. I want to handle all communications using the
WEBDMZ because I have an existing SSL certificate that I want to use to
secure my sessions. Port 81 was a test, final setup will be using https.
Suggestions? Or should I post to IIS forum?
"Mark Arnold [MVP]" wrote:
| Quote: | On Mon, 12 Dec 2005 16:36:01 -0800, "Erick Perez - Panama"
ErickPerezPanama@discussions.microsoft.com> wrote:
Ok,
The setup is like this:
Internet----PIX(dmz port)---ISA_2000---LAN
(sorry its a isa 2000 not isa 2004)
Fine, whatever.
I installed OWA in a spare server inside the LAN.
I tested OWA access using a web browser from the LAN. Everything works fine.
My web server is in the DMZ in a host(let call it HOSTA) that is controlled
by the PIX and not the ISA. We are using our ISA(lets call it HOSTB) as a
Proxy and we have no publishing rules with it, except for proxy/web browsing.
Now,
I created a destination set with the values
name/ip range = *
path = /exchange/*
then a web publishing rule that redirects to http port 81.
is the destination set ok? or do i have to put some ip? which one? the ISA
dmz ip? or the web server public ip and then make a redirect to my isa?
The external IP doesn't matter so long as the OWA FQDN you use on the
outside actually matches! The Internal IP is obviously the Exchange
Server so as long as the rules meet in the middle then you'll be ok.
Any reason 81 rather than securing the channel with SSL, or are you
just setting up and testing at this stage?
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in