When you get down to brass tacks, it is the fact that Internet Information Services (IIS) -- which includes the HTTP, NNTP, SMTP, IMAP4, POP3 and a number of other Internet protocols -- is the source of vulnerability. However, you can not install Exchange 2000/2003 without it running.
The real risk is not planning for it. Here is a short list of things you can do to secure Outlook Web Access.
- Implement Secure Socket Layer (SSL) for secure HTTPS communications between the client (browser) and the server.
- Use front-end servers for Internet clients to connect to. No data is stored on the front-end server and therefore it is a lower risk if compromised.
- Implement IPsec between front-end and back-end servers. SSL can't be used between front-end and back-end servers, but IPsec can.
SSL is really the key to securing Outlook Web Access. You should not allow clients to connect to Outlook Web Access without using SSL.
Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:
Dig Deeper on Outlook management
Related Q&A from Richard Luckett
Some folders in a mailbox on Exchange Server 2013 are not showing up on the folder list in the OWA virtual directory but do appear in other views. Continue Reading
We have a Client Access Server and Mailbox Server on Exchange 2013 and we want to install an Edge Transport role on another machine. I joined the ... Continue Reading
How can I enable Outlook Anywhere to allow internal use for all users and external use for only some users in Exchange 2013? Continue Reading