Is it possible move OWA in a new dedicated DMZ/perimeter network ?

%3CLINGO-SUB%20id%3D%22lingo-sub-2326883%22%20slang%3D%22en-US%22%3EIs%20it%20possible%20move%20OWA%20in%20a%20new%20dedicated%20DMZ%2Fperimeter%20network%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2326883%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Team%2C%3C%2FP%3E%3CP%3Ewe%20are%20a%20Microsoft%20Partner%20and%20we%20are%20opening%20this%20Case%20on%20behalf%20of%20an%20existing%20customer%20which%20is%20currently%20running%20a%20Microsoft%20Exchange%20Server%202013%20On-Prem.%3C%2FP%3E%3CP%3EIn%20order%20to%20maintain%20and%20expand%20the%20existing%20business%20with%20a%20car%20manufacturer%2C%20the%20latter%20has%20instructed%20a%20third-party%20to%20conduct%20an%20IT%20audit%20and%20security%20assessment.%3C%2FP%3E%3CP%3EBased%20on%20the%20results%20from%20the%20IT%20Audit%2C%20one%20of%20the%20recommendations%20is%20to%20move%20OWA%20in%20a%20new%20dedicated%20DMZ%2Fperimeter%20network.%20Basically%2C%20our%20customer%20has%20been%20asked%20to%20pull%20the%20Microsoft%20Exchange%20Server%202013%20from%20the%20internal%20network.%3C%2FP%3E%3CP%3EI%20believe%20that%20the%20main%20concern%20here%20are%20the%20recent%20critical%20Exchange%20Server%20vulnerabilities%20due%20to%20OWA%20being%20exposed%20to%20the%20Internet%20as%20a%20Web%20application%20and%2C%20as%20a%20result%2C%20being%20prone%20to%20attacks%20(I%20would%20say%20more%20now%20than%20in%20the%20past).%3C%2FP%3E%3CP%3EBased%20on%20my%20knowledge%2C%20it%20is%20my%20understanding%20that%20moving%20OWA%20in%20a%20dedicated%20DMZ%2Fperimeter%20network%20is%20not%20feasible%2Fsupported%20as%20we%20can%20only%20put%20the%20edge%20server%20in%20DMZ%2C%20while%20we%20cannot%20put%20a%20CAS%20server%20in%20the%20DMZ%20(and%20OWA%20connects%20to%20Exchange%20server%20from%20CAS%20server).%3C%2FP%3E%3CP%3ECould%20you%20please%20clarify%20whether%3A%3C%2FP%3E%3CP%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3E1)%20We%20are%20wrong%20about%20this%20and%20provide%20us%20with%20Microsoft's%20recommended%20approach%20in%20order%20to%20achieve%20this%20and%20move%20OWA%20in%20a%20new%20dedicated%20DMZ%2Fperimeter%20network%3CBR%20%2F%3E2)%20We%20are%20right%20about%20this%20and%20provide%20us%20(at%20a%20high%20level)%20with%20the%20possibilities%20we%20can%20explore%20in%20order%20to%20try%20our%20best%20to%20comply%20with%20the%20recommendations%20provided%20by%20the%20third-party%20IT%20auditor%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FP%3E%3CP%3EAny%20additional%20observations%2Frecommendations%20on%20this%20matter%20will%20be%20greatly%20appreciated.%3C%2FP%3E%3CP%3EThanks%20and%20Regards%2C%3C%2FP%3E%3CP%3EMassimiliano%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2326883%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2335939%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20move%20OWA%20in%20a%20new%20dedicated%20DMZ%2Fperimeter%20network%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2335939%22%20slang%3D%22en-US%22%3EI'm%20not%20MS%20but%20you'd%20have%20to%20punch%20so%20many%20holes%20through%20your%20firewall%20just%20for%20Exchange%20to%20talk%20to%20the%20other%20Exchange%20servers%20and%20domain%20controllers%20it%20would%20make%20this%20pointless.%3CBR%20%2F%3ERemember%20MS%20recommendation%20is%20no%20firewall%20of%20any%20kind%20between%20Exchange%20servers%20or%20Exchange%20servers%20and%20DC's%2C%20or%20if%20there%20is%20there%20has%20to%20be%20an%20ANY%26lt%3B%26gt%3BANY%20rule.%3C%2FLINGO-BODY%3E
New Contributor

Hello Team,

we are a Microsoft Partner and we are opening this Case on behalf of an existing customer which is currently running a Microsoft Exchange Server 2013 On-Prem.

In order to maintain and expand the existing business with a car manufacturer, the latter has instructed a third-party to conduct an IT audit and security assessment.

Based on the results from the IT Audit, one of the recommendations is to move OWA in a new dedicated DMZ/perimeter network. Basically, our customer has been asked to pull the Microsoft Exchange Server 2013 from the internal network.

I believe that the main concern here are the recent critical Exchange Server vulnerabilities due to OWA being exposed to the Internet as a Web application and, as a result, being prone to attacks (I would say more now than in the past).

Based on my knowledge, it is my understanding that moving OWA in a dedicated DMZ/perimeter network is not feasible/supported as we can only put the edge server in DMZ, while we cannot put a CAS server in the DMZ (and OWA connects to Exchange server from CAS server).

Could you please clarify whether:

==================================================
1) We are wrong about this and provide us with Microsoft's recommended approach in order to achieve this and move OWA in a new dedicated DMZ/perimeter network
2) We are right about this and provide us (at a high level) with the possibilities we can explore in order to try our best to comply with the recommendations provided by the third-party IT auditor
==================================================

Any additional observations/recommendations on this matter will be greatly appreciated.

Thanks and Regards,

Massimiliano

2 Replies
I'm not MS but you'd have to punch so many holes through your firewall just for Exchange to talk to the other Exchange servers and domain controllers it would make this pointless.
Remember MS recommendation is no firewall of any kind between Exchange servers or Exchange servers and DC's, or if there is there has to be an ANY<>ANY rule.

@mrizzi2 

Hi Massimiliano,

 

Have you considered using the Azure AD App Proxy to present access to OWA? In a nutshell, you install an App Proxy connector agent in you on-prem environment and create a tunnel from Azure AD. The internal OWA URL is published as an app and users log onto the MyApps portal (or you can create a vanity URL) to connect. Access can be secured using conditional access and MFA as well but it should be a more comfortable way of presenting access rather than a public facing server.

 

This video should provide a bit more clarification if you aren't familiar:  

Azure AD App Proxy with Akamai Demo for OWA - YouTube

 

Hope this helps,

Rob