May 05 2021 08:48 AM
Hello Team,
we are a Microsoft Partner and we are opening this Case on behalf of an existing customer which is currently running a Microsoft Exchange Server 2013 On-Prem.
In order to maintain and expand the existing business with a car manufacturer, the latter has instructed a third-party to conduct an IT audit and security assessment.
Based on the results from the IT Audit, one of the recommendations is to move OWA in a new dedicated DMZ/perimeter network. Basically, our customer has been asked to pull the Microsoft Exchange Server 2013 from the internal network.
I believe that the main concern here are the recent critical Exchange Server vulnerabilities due to OWA being exposed to the Internet as a Web application and, as a result, being prone to attacks (I would say more now than in the past).
Based on my knowledge, it is my understanding that moving OWA in a dedicated DMZ/perimeter network is not feasible/supported as we can only put the edge server in DMZ, while we cannot put a CAS server in the DMZ (and OWA connects to Exchange server from CAS server).
Could you please clarify whether:
==================================================
1) We are wrong about this and provide us with Microsoft's recommended approach in order to achieve this and move OWA in a new dedicated DMZ/perimeter network
2) We are right about this and provide us (at a high level) with the possibilities we can explore in order to try our best to comply with the recommendations provided by the third-party IT auditor
==================================================
Any additional observations/recommendations on this matter will be greatly appreciated.
Thanks and Regards,
Massimiliano
May 07 2021 09:19 AM
May 10 2021 01:17 AM
Hi Massimiliano,
Have you considered using the Azure AD App Proxy to present access to OWA? In a nutshell, you install an App Proxy connector agent in you on-prem environment and create a tunnel from Azure AD. The internal OWA URL is published as an app and users log onto the MyApps portal (or you can create a vanity URL) to connect. Access can be secured using conditional access and MFA as well but it should be a more comfortable way of presenting access rather than a public facing server.
This video should provide a bit more clarification if you aren't familiar:
Azure AD App Proxy with Akamai Demo for OWA - YouTube
Hope this helps,
Rob