PIX 501 and OWA

kidem · ‎06-01-2004

what is needed to setup PIX to allow Outlook web access in,im going to guess.

1)ACL

2)Static mapping

3)http server enable

anything else?

joneschw1 · ‎06-01-2004

fixup protocol http 80

....If you did not already have it turned on

ehirsel · ‎06-02-2004

You don't need the http server enable command on the pix to allow OWA client to access the internal servers. The http server is to allow managment of the pix via a web browser.

Are the clients going to be coming in via a VPN connection, or a non-vpn from another part of your network? The reason I ask is that if the users are vpn users, and the pix is a vpn termination point, then you will need to setup the pix for vpn use too.

kidem · ‎06-02-2004

they will be coming in NON-VPN ,which is making me wonder how secure is that going to be, from the pass i would use DMZ but management is too cheap, any ideas?

Thanks

ehirsel · ‎06-02-2004

I would make sure that the OWA process uses SSL. SSL processing can be resource intensive, so I would convince management to purchase an ssl offloading device.

If some clients will be coming off of external/partner networks, you may be better of using a low-end vpn concenetrator to not only handle the ssl offloading (the cisco vpn3000 v4 code can use ssl-based vpns in addition to or instead of IPSec vpns), but can authen users against an nt domain, active directory, and other types of databases. If the vpn concentrator is not feasible, the pix can be configured to do proxy authen for inbound access using https and the pix 6.3 code. It needs to connect to a radius or tacacs+ server for that purpose, however at least only authorized users will be able to connect.