This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Securing OWA access

Hi,

for the monent I've
- a SNAT rule: any-https-public IP of exchange
- a paket filter: Untrust-trust any-https-exchange

Is there a way to check auth. already on the Astaro V7, before accessing the exchange?

What would be the best and safest practice to guarantee high security to OWA 2003 or 2007?

This thread was automatically locked due to age.

0 BAlfson over 16 years ago

Instead of SNAT, we've always done this with an 'Additional Address' named "OWA_External" on the External interface and a NAT rule: 'Any -> HTTPS -> OWA_External : DNAT to OWA_Internal' (Leave 'Destination service' empty).

It's easy to configure to have OWA always accessible with a FQDN. Have outlook.yourdomain.com pointing to the address on OWA_External added to your authoritative name server. Add an entry on the Astaro or in your internal DNS pointing outlook.yourdomain.com at the IP of the 'Internal (Address)' of the Astaro.

If you want the security of having the Astaro check authentication, you might want to avoid offering OWA on a public IP (no NAT) and set up the SSL VPN to allow an AD_authorized backend group. Once the user is connected via VPN, OWA and Outlook will be available to the user. We've never set anyone up like this, and I'd be interested to know if others have done it for security reasons.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 eganders_01 over 16 years ago in reply to BAlfson

The HTTP Reverse Proxy is already on the feature consideration list. It would be great. Vote for it!

Astaro Gateway Feature Requests
Cancel
Vote Up 0 Vote Down

Cancel