quarantine access from outside the network?

Unanswered Question
Nov 8th, 2007
User Badges:

I was wondering if this is typically enabled and if so how (http, https only, etc...). I'm a little hesitant to just set it out on the internet, but we are going to need to allow users to unjunk from OWA so maybe I'm just being overly cautious.

Curious to hear how others have it configured in their organization.

Thanks!

-S

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Torsten_ironport Fri, 11/09/2007 - 08:04
User Badges:

Quarantine Access is something you usually switch on when configuring your IP interfaces - AFAIK there is no default access to it, since the Anti-Spam Quarantine is disabled at first start until you enable it.

Other then that it's the rest of your network environment that allows or rejects the access to the Quarantine Web Services really, like firewall, NAT, etc.

In our case we enabled it for https access, but only for the internal network or users coming through a SSL VPN. Anything else and without some hardened authentication method (OTP, Token, whatever) just leaves too much room for tempering with the access page for my taste.

Example: You open up your Quarantine for https access from the Internet and use LDAP authentication. Now what happens to internal user accounts if people start running "brute force" methods to get in? Usually accounts are locked after a number of failed login attempts and that could stop internal users from even being able to log in.

No, I wouldn't want something like that to happen. ;)

Torsten

Seth Miller Fri, 11/09/2007 - 21:41
User Badges:

Thanks Torsten, I appreciate the reply! I was thinking about the exact same thing, but don't know of a good ay to get around it. I don't know that not having a way to release from OWA/blackberries is going to fly with mgmt.

In our previous implementation we proxied unjunk links back through ISA and users were only able to logon inside the network. It looks like the release mechanism is a little different for Ironport, so I’m not sure this would work (also the previous solution sat on the internal network).

Interested in hearing how others have this setup (if at all).

Thanks again!

Actions

This Discussion