Friday, May 11, 2007

OWA Authentication on Corporate Network

I like to show you guys enterprise network configuration where FE (front aid) and BE (mailbox) are in place. This will help us to understand eventually ETS (Edge Transport server) better. The reason I believe this is necessary, if we can see what has in the past we will have better understanding the new implementation and the Exchange server roles. As I said earlier this is corporate network and OWA servers are not sitting on DMZ as it was recommended by Microsoft.

Second this corporate has a Domain called
(all the servers sitting in DMZ is belong to this child domain.

When any traffic wants to come to this network all traffic hits first PIX first. Certain ports are open with conduits back to DMZ server, depending upon their functionality. If DMZ server needs to talk back to the internal servers which are sitting within the corporate network (inside network), it has to pass through the second firewall.

Second firewall does IP translation; let's say the server which is sitting on DMZ called DMZserver1 needs to talk to a LDAP server, inside corporate network.




IP: /24 (internal IP, Private IP)

LDAPserver2. (FQDN)

When DMZserver1 hit the second PIX, PIX open each TCP/IP packet and replaces the IP address of this server into internal IP such as

à10.0.0.10 /24, so that DMZserver1 can talk to LDAPserver1. This is how DMZ servers are a child domain of internal DNS name space.

If you look at the Visio diagram one more time, you will understand more about a corporate setup and how DMZ and internal network are talking back and forward.

When a query does happen from outside (internet) for OWA the traffic flows in this direction. Client sitting on internet opens a browser and types the address of their company OWA (Outlook web mail) The OWA address is Http://> request goes to ISP server provider DNS servers. ISP DNS servers does recursive query to locate the authoritative DNS servers for the requested DNS Name space which is

When company.prg Public DNS servers says,

Yes I am authoritative DNS server for the requested name space, I have the host record for and this is the IP address and hands out to the requested IP address, so that the browser of a client is able to locate the OWA login page

At this point, Traffic request which has been done on HTTP (port 80) passed the first PIX; Hit the ISA server in DMZ. ISA server has a rule and a host record for pointing to itself.

He claimed to be the host for OWA login page and accepted the request from outside. At the same time ISA server, know the inside IP for content switch for OWA servers. ISA server redirects the request to the content switch by passing the last PIX on port 443 SSL. Content switch is responsible from, distributing the request to one of the OWA servers. OWA server will go back to mailbox server and pull the user mailbox. The user will get to his inbox trough OWA.


Oz Ozugurlu

No comments: