Microsoft transformed Outlook Web App in Exchange Server 2010 by making it more user-friendly. For example, OWA now works more consistently with Web browsers outside the Microsoft universe.
These new features may entice more users to log onto Exchange 2010 remotely, making it even more important to ensure that OWA isn't used as a gateway for mischief on your network. Therefore, it's a good idea to create a buffer zone between your internal network and the Internet. OWA users will be accessing the system from various locations and from a variety of machines. Since you can't ensure the security of these machines, it’s best to put a protective layer between them and the network.
In earlier versions of Exchange, the buffer zone -- sometimes known as the demilitarized zone (DMZ) -- typically contains a copy of Exchange to massage incoming traffic from the Internet before it reached back-end servers. Exchange Server 2010 limits the server’s role when it is installed in the DMZ. Microsoft made these changes for two reasons -- to address configuration issues customers were making and to boost security.
Microsoft learned that more customers used reverse proxy servers, such as Internet Security and Acceleration (ISA), to perform tasks previously assigned to client access servers in the DMZ. One such task is to re-authenticate traffic before it reaches back-end servers.
One reason reverse proxy servers are popular is because they are more secure than a client access server (CAS) installation in the DMZ. For example, in order to function properly, the CAS needs full access to all mailboxes and significant access rights to Active Directory. However, this configuration places a lot of privilege in a perimeter layer and should be avoided.
Additionally, because a CAS needs a lot of Exchange business logic to operate, placing it in the DMZ exposes that logic at the perimeter of your network and opens it up to hackers. Minimizing the amount of code and logic that’s exposed in the DMZ reduces the attack surface available to outside intruders.
Exchange servers expose more surface logic than reverse proxy servers, which are designed to withstand Internet attacks. Reverse proxy servers are placed at the perimeter of a network, offering better protection and more flexibility because they have more in-depth defense features and deployment options.
Public access security in OWA 2010
It’s important to differentiate how OWA behaves on a private computer versus a public computer. If you're concerned about OWA users polluting your organization's file system from a public computer, I recommend shutting off direct file access via public machines.
Opening documents in a Web browser is another security risk. This occurs when a user tries to open an document on a system that doesn’t have the required application. Documents viewed in a Web browser are placed in the browser's cache folder. On a public computer, subsequent users can view those documents via the cache. Disabling WebView in OWA's public computer settings will prevent this.
When controlling how OWA accesses files, remember that users aren't always as cooperative. It doesn't take users long to figure out that they have more freedom if they tell the system they're working on a private computer -- whether they are or not. If this becomes an issue, you can resort to using third-party tools to fill the gaps.
Using Secure Socket Layer (SSL) connections when accessing OWA via the Internet can also improve security. Without SSL, this communication would be transmitted as clear text that’s easy for Net snoopers to obtain.
In most organizations, SSL isn't turned on by default. To turn it on, configure an SSL certificate on Exchange and enable it for Internet use. Once SSL is enabled, most OWA communication over the Internet is encrypted.
ABOUT THE AUTHOR:
John P. Mello has served as journalist, managing editor and freelancer at media enterprises including The Boston Globe, CFO Magazine, PC World, Harvard Management Update and the State House News Service.
This was first published in March 2011