Installing VPN access on Windows Server 2016
-
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@Dashrender said in Installing VPN access on Windows Server 2016:
I also have a reverse proxy in front of Exchange for ActiveSync and OWA.
What do you use for a reverse proxy?
His is ancient. ISA
-
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@Dashrender said in Installing VPN access on Windows Server 2016:
The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.
Exactly, put Nginx in front of OWA, as an example, and the degree to which it is harder to try to brute force an attack on OWA is extreme. Plus it can make HTTP Header handling more flexible.
You cannot put Nginx in front of Exchange for free.
-
@JaredBusch said in Installing VPN access on Windows Server 2016:
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@Dashrender said in Installing VPN access on Windows Server 2016:
I also have a reverse proxy in front of Exchange for ActiveSync and OWA.
What do you use for a reverse proxy?
His is ancient. ISA
Wow, when did they end that? 2006? I can't remember the last version number, but it was some time ago.
I used it a lot back when it was Proxy Server 2.0!!
-
@JaredBusch said in Installing VPN access on Windows Server 2016:
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@Dashrender said in Installing VPN access on Windows Server 2016:
The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.
Exactly, put Nginx in front of OWA, as an example, and the degree to which it is harder to try to brute force an attack on OWA is extreme. Plus it can make HTTP Header handling more flexible.
You cannot put Nginx in front of Exchange for free.
What feature from the paid version is needed?
-
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@JaredBusch said in Installing VPN access on Windows Server 2016:
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@Dashrender said in Installing VPN access on Windows Server 2016:
The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.
Exactly, put Nginx in front of OWA, as an example, and the degree to which it is harder to try to brute force an attack on OWA is extreme. Plus it can make HTTP Header handling more flexible.
You cannot put Nginx in front of Exchange for free.
What feature from the paid version is needed?
I do not recall the name of the feature, but i had a thread on the subject on here 2 years ago.
Because I tried to put Nginx in front.
-
@JaredBusch said in Installing VPN access on Windows Server 2016:
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@JaredBusch said in Installing VPN access on Windows Server 2016:
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@Dashrender said in Installing VPN access on Windows Server 2016:
The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.
Exactly, put Nginx in front of OWA, as an example, and the degree to which it is harder to try to brute force an attack on OWA is extreme. Plus it can make HTTP Header handling more flexible.
You cannot put Nginx in front of Exchange for free.
What feature from the paid version is needed?
I do not recall the name of the feature, but i had a thread on the subject on here 2 years ago.
Because I tried to put Nginx in front.
Have you tried this recent guide?
http://blog.adamjoshuasmith.com/deploying-exchange-2016-behind-nginx-free/
-
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@JaredBusch said in Installing VPN access on Windows Server 2016:
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@JaredBusch said in Installing VPN access on Windows Server 2016:
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@Dashrender said in Installing VPN access on Windows Server 2016:
The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.
Exactly, put Nginx in front of OWA, as an example, and the degree to which it is harder to try to brute force an attack on OWA is extreme. Plus it can make HTTP Header handling more flexible.
You cannot put Nginx in front of Exchange for free.
What feature from the paid version is needed?
I do not recall the name of the feature, but i had a thread on the subject on here 2 years ago.
Because I tried to put Nginx in front.
Have you tried this recent guide?
http://blog.adamjoshuasmith.com/deploying-exchange-2016-behind-nginx-free/
It relies on Nginx Extras and requires a Debian proxy.
I found this back in December in this thread: https://www.mangolassi.it/topic/7184/problems-with-exchange-2010-and-nginx-reverse-proxy/18
-
I never did get time to try it, I guess I should. I just hate relying on Ubuntu.
-
@JaredBusch said in Installing VPN access on Windows Server 2016:
I never did get time to try it, I guess I should. I just hate relying on Ubuntu.
Probably works elsewhere. I don't have any on prem Exchange to test on.
-
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@JaredBusch said in Installing VPN access on Windows Server 2016:
I never did get time to try it, I guess I should. I just hate relying on Ubuntu.
Probably works elsewhere. I don't have any on prem Exchange to test on.
I have two. One Exchange 2010 and one Exchange 2013. So I guess I need to just download 17.03 and spin up a VM at each site.
-
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@JaredBusch said in Installing VPN access on Windows Server 2016:
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@Dashrender said in Installing VPN access on Windows Server 2016:
The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.
Exactly, put Nginx in front of OWA, as an example, and the degree to which it is harder to try to brute force an attack on OWA is extreme. Plus it can make HTTP Header handling more flexible.
You cannot put Nginx in front of Exchange for free.
What feature from the paid version is needed?
Found it..
So apparently something in the nginx-extras package on Debian handles this.
-
@Dashrender said in Installing VPN access on Windows Server 2016:
@Carnival-Boy said in Installing VPN access on Windows Server 2016:
@scottalanmiller said in Installing VPN access on Windows Server 2016:
Or do you believe that the entire concept of hacking has been solved and doesn't exist today?
Oh, just forget it.
There's nothing to forget.
If you want security in depth, you need not only the security provided in Exchange, you also put a SMTP proxy in front to get another layer.
The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.
You shouldn't just add layers of security just for the sake of it. You're adding complexity. You need to understand the risks, and the probabilities of a compromise, so your additional layers are justified.
And risks change over time. Scott saying because something was risky in 2004 ergo it will be equally risky forever is just nonsense.
I'm not saying you don't understand the risks, btw, I'm just trying to understand what they are. As an SMB we have limited funds so need to prioritise our security investments, and how we prioritised in 2004 won't be the same as in 2017.
Anyway, Exchange was just an example, its Windows VPN that is really what drew me to this thread.
-
@Carnival-Boy said in Installing VPN access on Windows Server 2016:
And risks change over time. Scott saying because something was risky in 2004 ergo it will be equally risky forever is just nonsense.
I didn't say that. My point, and one I'm flabbergasted to have questioned, is that network attacks have always existed, always will and by definition cannot be documented until after they are found. So the ones that exist today you can't ask for proof of because if they could be documented, they could be fixed.
You are literally saying that hacking is no longer a threat. That's the statement this implies.
-
@Carnival-Boy said in Installing VPN access on Windows Server 2016:
I'm not saying you don't understand the risks, btw, I'm just trying to understand what they are. As an SMB we have limited funds so need to prioritise our security investments, and how we prioritised in 2004 won't be the same as in 2017.
This is true, but you can't actually think that network attacks have gone from a significant threat in 2004 to a non-existent one today? It's true that systems are getting better at being hardened, but the rate of attacks have gone through the roof, and the complexity of them. In 2004 you could pretty easily go weeks without patching, today you can't go hours.
If you have heard of the term zero day, this is what it refers to.
It's your zero day threats that you are exposed to without systems like this. I think you'll find that yes, threats change over time, and this one is far worse in 2017 than in 2004.
-
Exactly.
Speaking of money, there are many inexpensive/free options to provide these extra layers of security as well. nginx is an example. it's a free reverse proxy. Sadly as noted elsewhere, it doesn't seem to work for Exchange in the free version.
As for the Windows VPN, Unless you can find a proxy that can handle that, I don't think you can typically put anything in front of a VPN server.
-
@Dashrender said in Installing VPN access on Windows Server 2016:
Speaking of money, there are many inexpensive/free options to provide these extra layers of security as well. nginx is an example. it's a free reverse proxy. Sadly as noted elsewhere, it doesn't seem to work for Exchange in the free version.
Yeah, that sucks. At least not the free version without resorting to Debian. Looks like it works on Debian.
And Postfix for the SMTP portion. These are all solutions that you can run, for free, in any on premises environment as the VM loads for proxies are trivially small.
-
@Dashrender said in Installing VPN access on Windows Server 2016:
As for the Windows VPN, Unless you can find a proxy that can handle that, I don't think you can typically put anything in front of a VPN server.
Except another VPN server
-
@scottalanmiller said in Installing VPN access on Windows Server 2016:
@Dashrender said in Installing VPN access on Windows Server 2016:
As for the Windows VPN, Unless you can find a proxy that can handle that, I don't think you can typically put anything in front of a VPN server.
Except another VPN server
Lol, ok that's just crazy talk
-
@Dashrender said in Installing VPN access on Windows Server 2016:
Exactly.
My question, which I thought was a simple one, was that have Microsoft products been hardened sufficiently in recent years to a point where best practice in 2004 isn't the same as best practice in 2017. It seems on ML (tough crowd), merely asking the question implies I'm stupid ("do you believe that the entire concept of hacking has been solved and doesn't exist today?").
I found this blog post by Microsoft interesting and it's kind of where I was coming from
https://blogs.technet.microsoft.com/exchange/2013/07/17/life-in-a-post-tmg-world-is-it-as-scary-as-you-think/
eg "We made a lot of progress over those ten years since then. We delivered on the goal that the security of the application can be better managed inside the OS and the application rather than at the network layer."I was just asking the question because I though it might have some merit. Sorry I asked and I'll leave it now....
-
@Carnival-Boy said in Installing VPN access on Windows Server 2016:
@Dashrender said in Installing VPN access on Windows Server 2016:
Exactly.
My question, which I thought was a simple one, was that have Microsoft products been hardened sufficiently in recent years to a point where best practice in 2004 isn't the same as best practice in 2017. It seems on ML (tough crowd), merely asking the question implies I'm stupid ("do you believe that the entire concept of hacking has been solved and doesn't exist today?").
I found this blog post by Microsoft interesting and it's kind of where I was coming from
https://blogs.technet.microsoft.com/exchange/2013/07/17/life-in-a-post-tmg-world-is-it-as-scary-as-you-think/
eg "We made a lot of progress over those ten years since then. We delivered on the goal that the security of the application can be better managed inside the OS and the application rather than at the network layer."I was just asking the question because I though it might have some merit. Sorry I asked and I'll leave it now....
But the behaviour you are protecting against has not went away. You have to always continue protecting against it. As soon as you stop protecting against it, it will be attacked.
In regards to your linked article, Microsoft might have made managing the security of an application better inside the OS, but that does nothing for actually securing the application.