OPNsense Forum
English Forums => General Discussion => Topic started by: Tubs on September 03, 2022, 05:21:15 pm
-
Hello,
does enabling Client Certificate Authentication on MS Exchange server bring sufficient security to expose ‘activesync’ and ‘owa’ directly to the internet?
We are talking about a home lab setup. My current configuration is that port 443 for activesync and owa is behind HAProxy on OPNsense doing SSL offloading. Access to smtp is via a mail gateway. To increase the security for I want to switch to Client Certificate Authentication for activesync.
Option 1: setup client auth on HAProxy.
Option 2: passthrough ‘activcesync’ (separate host/SNI) in HAProxy by TCP mode, do authentication on HAProxy and keep offloading SSL for ‘owa’ on HAProxy
Option 1 seems to get to complicate for me as there are other services on port 443 where I want to keep offloading on HAProxy. This would require a complex set-up by two frontends on same port, on with and one without client certificate authentication. Option 2 seems to be the less complex way.
But is a direct exposed Exchange protected by client certificate authentication as save against attacks as behind HAProxy?
-
That would entirely depend on your definition of 'sufficient'
What is your risk? If this is a lab setup, do you even process real data?
A lot of security policy is not technical. You look at the threat level and you gauge if your mitigation is sufficient based on best practice, ease of use, etc. Have you considered a VPN for instance?
Bart...
-
What is your risk? If this is a lab setup, do you even process real data?
OK. I see that "lab setup" was misleading. Yes, it is processing real data. There are two private mail accounts on it. I know, there are better ways instead of using an oversized Exchange for this. I called it home lab set-up to avoid any link to corporate use or professional data with hundreds of mailboxes.
Therefore let me rephrase my question:
Are there common and recommended scenarios where the activesync site of IIS in Exchange is directly exposed to the internet without reverse proxy or WAF in front?
Have you considered a VPN for instance?
Yes. I am even doing it like this. Most secure variant I guess, but also with disadvantages: Drains more battery from mobile and VPN not always with a stable connection. Therefore I am looking for other ways.
-
Millions of Enterprises do that. Expose OWA to the Internet. That's what it was made for.
The more knowledgeable ones use a dedicated OWA server placed in a DMZ with only the minimum necessary connections to the internal Exchange and AD allowed. Microsoft has quite extensive documentation on that.
HTH,
Patrick
-
Millions of Enterprises do that. Expose OWA to the Internet. That's what it was made for.
Thank you.
-
Still please read all of my last post. Using a dedicated OWA server is highly recommended. In the age of virtualised everything that is not even much of a cost. Virtual machine, VLAN for DMZ in hypervisor and firewall, done.
As I said, OWA is definitely built by MS to be exposed. As was ISA/Forefront server - their own firewall/proxy solution - etc. They don't say "hey, we have this great tool, but please do not put it on the Internet, ever!"
I personally don't trust Microsoft products any farther than I can throw them, but putting another layer of protection in front of OWA is more of a political than a technical question.
In a technically oriented company it might be easy to sell OWA behind VPN. Or OWA behind HTTPS proxy with 2FA. There are many solutions to raise the bar for the bad guys. The question is what your users are willing to put up with.
HTH,
Patrick
-
Still please read all of my last post. Using a dedicated OWA server is highly recommended.
Thanks a lot again. Yes, I got your point already by your first mail.
I will reconsider after looking in some more details. Basically the vpn way is fine for me. My small home lab is running out of resources and one Exchange already is using more RAM I want to spend.