Why does Microsoft not respect my firewall?
One of the things I keep noticing, is that Microsoft “enterprise stack” of applications almost all seem to need a hole straight into the LAN from the outside to work right. This is rediculous. Why did I bother setting up a DMZ and a firewall, when every application needs direct access to the inner circle? I know why this is… all of these applications rely upon Kerberos, domain membership, Active Directory, and other things that don’t play nicely through a firewall. But still, this is a dumb situation. Microsoft needs to respect my network topology. The last thing I want is for a problem with Exchange, OCS, etc. to become a security exploit in the middle of my LAN.
J.Ja
OCS requires more than just port 80/443 open from the Internet?
That’s what it requires… but the "Communicator Web Access" requires port 443 (or 80, but 443 is suggested) *directly into my LAN*. Same thing for Exchange’s "Outlook Anywhere" functionality. This is really stupid. Sure, I pretty much trust IIS to not blow up, but that doesn’t mean that the code doesn’t have open bugs in it that allows it to be exploited. If someone manages to blow up the CWA system, the last thing I want/need is an exploited app in my LAN.
J.Ja
J.Ja,
Have you messed around with setting up OpenVPN?–a pc running Linux in the DMZ and OpenVPN server would work; or you could move it behind the Firewall because OpenVPN has no trouble with NAT Firewall issues and OpenSSL cert keys on UDP port 1194 is bullet-proof. Set up is *easy* compared to IPSec. Asterisk with IAX trunking over OpenVPN works fine.
Your thoughts? YackityYak TalkBack!
VPN is not the solution. The whole *point* of this software is to allow people access to the service with zero install/configuration.
J.Ja
VPN *is* the solution–it just requires some extra work. Every app gets its port(s) unfettered and just *one* ssl udp port is exposed to the world.
I know some will dismiss this as offhandedly smart-assed, but really, isn’t it simply because Microsoft doesn’t respect you? (or any of its customers)
I’ve always found that Microsoft always works from a standpoint that, they alone, know what’s best for your computer.
Dietrich -
VPN is *not* the answer at all. These are services that customers and clients use, I really can’t put them through the effort of configuring a VPN for a 30 minute screenshare, and most of them have IT departments that won’t let it happen. In terms of the on the wire security, the Microsoft situation is good about that, because it all uses SSL anyways. The security concern is that I have untrusted users directly accessing machines within my LAN, regardless of encryption. It’s like sticking a Web server or FTP server in your LAN, you’d never do it.
J.Ja
I see. Well, that explains your purpose.
Sorry. I misunderstood the application.
Color me ‘clueless’.
You can build a dedicated Exchange gateway in the DMZ and I am pretty sure you can do the same thing for OCS. You don’t need to open directly in to your internal network.
This is not a Microsoft problem and every Internet-enabled software in the world requires some kind of port to be open which is almost always port 443 and 80. Because you built an all-in-one box, you have no DMZ box and you’re forced to bypass the DMZ.
As we discussed on IM, I wish this was the case. In their recent crop of products, it does not matter how many boxes you have, certain components *must* be located in the LAN and exposed over port 443. In fact, with Exchange 2007, you *cannot* put the "Edge Server" role on a box with any other Exchange roles installed! With OCS 2007 R2, the Web-based Communicator (Communicator Web Access) *must* be located in the LAN… and it must *not* be on the same box with the rest of the components, either! I am telling you, if there is a way to do it, it is not documented or supported.
J.Ja
Sorry, you’re right Justin. Basically, MS is pushing us towards a reverse proxy architecture, preferably MS ISA server as far as MS is concerned.