Host a secure web application and OWA, use as many servers and resources as necessary. : Inetserver

I apologize if this has been discussed in other posts but I have been
researching for 2 days now and I am still slightly confused. I need to

CHALLENGE
Host a secure web application and OWA, use as many servers and
resources as necessary.

CURRENT SETUP:
Both OWA and the web application live on the same server situated in a
perimeter network (DMZ) which was created using a Sonicwall 2040. OWA
is running SSL using a self generated cert and the web application is
running SSL using a cert from Verisign. After many days of research I
was able to open the correct ports and everything is working.

>From my research it appears that to secure OWA and to close the many
ports that must be opened for OWA to work, Microsoft suggests placing
ISA (an application level firewall) in the perimeter network and moving
the front end server inside the network.

QUESTIONS:
Do I buy another server load ISA place it in the perimeter network
created by the Sonicwall 2040, move my front end server inside the
inner firewall and close all unnecessary ports?

Do I buy another server to host my web application and keep this in the
DMZ, or do I host it on the ISA server?

Do I leave my web application on the existing server and somehow proxy
it through the ISA server?

Hi,

In my openion best way to protect your Exchange would be to deploy ISA
Server and then move your domain joined server to LAN.

Here is an example with ISA (older one -- so you should use ISA Server 2004
here)...
http://www.microsoft.com/technet/pro....mspx?mfr=true

Second part of the answer. No you should not run IIS on ISA server for it's
protection (best practice). Now the remaining question is -- does your web
application need access to domain? If not leave it in DMZ (do not move it to
LAN) on server that is not part of domain...

--
Mike
Microsoft MVP - Windows Security

"Alpine7" <dreed@datashock.com> wrote in message
news:1147105479.897896.269930@j33g2000cwa.googlegroups.com...
>I apologize if this has been discussed in other posts but I have been
> researching for 2 days now and I am still slightly confused. I need to
>
> CHALLENGE
> Host a secure web application and OWA, use as many servers and
> resources as necessary.
>
> CURRENT SETUP:
> Both OWA and the web application live on the same server situated in a
> perimeter network (DMZ) which was created using a Sonicwall 2040. OWA
> is running SSL using a self generated cert and the web application is
> running SSL using a cert from Verisign. After many days of research I
> was able to open the correct ports and everything is working.
>
>>From my research it appears that to secure OWA and to close the many
> ports that must be opened for OWA to work, Microsoft suggests placing
> ISA (an application level firewall) in the perimeter network and moving
> the front end server inside the network.
>
> QUESTIONS:
> Do I buy another server load ISA place it in the perimeter network
> created by the Sonicwall 2040, move my front end server inside the
> inner firewall and close all unnecessary ports?
>
> Do I buy another server to host my web application and keep this in the
> DMZ, or do I host it on the ISA server?
>
> Do I leave my web application on the existing server and somehow proxy
> it through the ISA server?
>

Thanks I will plan on deploying ISA in the DMZ and moving my front end
server to the LAN.

I have backup exchange servers located inside the LAN at tow seperate
sites with a static map of port 25 through the firewall to them. Should
I set up a DMZ with ISA at these sites as well?

My Web Application has calls to a database server which lives inside
the LAN. Can ISA play a part in securing this asp.net web applications?
or should I look more closely at building secure asp.net applications.

Hi,

Are these two Exchange servers part of same Exchange organization? If yes --
why is TCP port 25 open to them? As long as you have Exchange servers part
of same Exchange organization you should expose only one server -- Front End
server. It will then take care of mail routing to the other servers.
What you did is still legitimate in some scenarios -- but I don't have
enough information on your current setup.

Does you application require a server to be part of domain (e.g. uses
Integrated Authentication in any way). If yes -- then I would recommend put
the application on LAN. If not put the application on server that is not
member of domain and then route all traffic between DMZ and LAN through ISA.
My advice -- do both (lock down security using ISA and build secure
application).

--
Mike
Microsoft MVP - Windows Security

"Alpine7" <dreed@datashock.com> wrote in message
news:1147109145.368148.327610@v46g2000cwv.googlegroups.com...
> Thanks I will plan on deploying ISA in the DMZ and moving my front end
> server to the LAN.
>
> I have backup exchange servers located inside the LAN at tow seperate
> sites with a static map of port 25 through the firewall to them. Should
> I set up a DMZ with ISA at these sites as well?
>
> My Web Application has calls to a database server which lives inside
> the LAN. Can ISA play a part in securing this asp.net web applications?
> or should I look more closely at building secure asp.net applications.
>

Thanks for all your help I am slowly figuring this out.

The Exchange Severs are members of the same organization and yes the
majority of our mail does route through our front end server but the
two other Exchange servers are located in different sites. All sites
are connected via VPN and high speed lines. We need smtp open to the
other exchange servers because they server as backups if our internet
conection for the Front End server goes down. This is accomplished by
adding an MX Record with a prefence of 10 for the front end server, MX
Record preference 20 for 1st site Exchange Server, MX Record Preference
30 for 2nd site Exchange Server.

It is not required for the application server to be part of a domain
for authentication but the application does need to access a sql
database server which is part of the domain and I do need to move
static pdf files to the application from the domain on a regular basis.
Do you think it would be best to

Move the application server to the LAN but not part of the domain and
use ISA someway to proxy requests to application.

Leave the application server in DMZ as part of the domain and proxy
through ISA.

Leave the applicaion server in DMZ not part of the domian and Proxy
through ISA

Leave the application server in DMZ not part of the domain forget about
ISA for the application server.

Hi,

<snip>

> The Exchange Severs are members of the same organization and yes the
> majority of our mail does route through our front end server but the
> two other Exchange servers are located in different sites. All sites
> are connected via VPN and high speed lines. We need smtp open to the
> other exchange servers because they server as backups if our internet
> conection for the Front End server goes down. This is accomplished by
> adding an MX Record with a prefence of 10 for the front end server, MX
> Record preference 20 for 1st site Exchange Server, MX Record Preference
> 30 for 2nd site Exchange Server.

OK. As mentioned there are some scenarios where this is valid. Your just
have to make sure that you also run e.g. antivirus for Exchange on all of
your servers...

> It is not required for the application server to be part of a domain
> for authentication but the application does need to access a sql
> database server which is part of the domain and I do need to move
> static pdf files to the application from the domain on a regular basis.
> Do you think it would be best to
>
> Move the application server to the LAN but not part of the domain and
> use ISA someway to proxy requests to application.

Personally I would probably go with leaving application in DMZ (not part of
domain) and open necessary protocols to LAN if necessary (e.g. SQL...) with
ISA for additional protection (also other services mentioned in your post --
e.g. Exchange, SMTP,...)
Still be careful with opening things from DMZ to LAN. Make sure that you
open no more then necessary.

> Leave the application server in DMZ as part of the domain and proxy
> through ISA.
>
> Leave the applicaion server in DMZ not part of the domian and Proxy
> through ISA
>
> Leave the application server in DMZ not part of the domain forget about
> ISA for the application server.
>