Microsoft Exchange Reviews

Managing Exchange Server Connectivity Across Firewalls

Managing Exchange Server Connectivity Across Firewalls

Utilizing Firewalls To Forestall Unauthorized Entry

The tactic, by which you’ll be able to bodily safe the community, is thru the utilization of firewalls. Whereas firewalls present some degree of bodily safety, you must keep in mind that firewalls are simply obstacles which make it troublesome for intruders to assault the community.

Firewalls are categorized as follows:

  • Community firewalls: These firewalls monitor visitors getting into and exiting the community, in an try to guard the perimeter community. Software program based mostly Microsoft Web Safety and Acceleration (ISA) Server and the hardware based mostly Nortel Networks Alteon Switched Firewall System are community firewall options.
  • Host-based firewalls: These firewalls shield these computer systems it’s outlined to guard. The community to which the pc is related to is irrelevant. The Web Connection Firewall (ICF) function of Home windows XP and Home windows Server 2003 is a host-based firewall answer.

Firewalls work by checking packets to find out whether or not packets must be permitted to be forwarded, or whether or not packets must be dropped. The primary perform of the firewall is to filter visitors. TCP/IP packets have an IP packet header, adopted by the precise content material of the packet. The IP packet header is both a TCP header or a UDP header. The TCP header or UDP header incorporates the IP addresses and port variety of the sender (supply), and the IP addresses and port numbers of the receiver (vacation spot). A TCP header accommodates the next further info as nicely: Sequence numbers and acknowledgment numbers, and dialog state.

As packets cross over the firewall, packets are examined in accordance with the filtering parameters configured for the firewall to filter visitors on. The filtering parameters outline which packets ought to be allowed to move over the firewall. The default configuration is that firewalls sometimes deny all packets aside from these which it has been explicitly set as much as permit. In networking environments, firewalls are often configured to dam all incoming visitors, and to permit outbound visitors from the personal inner community.

Packet filters are used to outline the visitors varieties that ought to be denied by a firewall. You have to implement firewalls and router packet filters to safe the assets inside your personal community from Web customers.

If you configure IP packet filters, you’ll be able to specify what visitors is allowed or denied, based mostly on the next:

  • Supply handle
  • Vacation spot tackle
  • Supply and vacation spot TCP port quantity
  • Supply and vacation spot UDP port quantity
  • The interface that the packet arrives on.
  • The interface that the packet ought to be forwarded to
  • IP protocol numbers
  • ICMP varieties and codes

IP packet filters must be used for the needs:

  • To limit visitors being despatched to, or from a selected pc, you possibly can filter on supply/vacation spot IP handle vary.
  • To limit visitors coming from, or being despatched to a selected IP tackle vary of a community phase, you possibly can filter on supply/vacation spot IP handle vary.
  • To limit visitors being transmitted to/from a specific software, you possibly can filter on protocol quantity.

Superior firewalls embrace a variety of further security measures, together with:

  • Stateful inspection: Right here, packets are examined once they attain the firewall. Nevertheless, packets are allowed to entry inner community assets as decided by the configured entry coverage. Stateful inspection capabilities are offered by proxy servers and firewall options that help Community Tackle Translation (NAT).
  • Intrusion detection options: Firewalls that embrace intrusion detection options are capable of detect attainable community assault attributes as they examine packets. These firewalls can carry out quite a lot of actions once they detect a community assault:
    • Begin a counter assault.
    • Block entry from the community of the intruder.
    • Notify an administrator of the community assault.
  • Software layer intelligence capabilities: These firewalls permit or drop packets based mostly on the content material of the packet. The firewalls are able to inspecting and analyzing knowledge inside the visitors flows.
  • Digital Personal Community (VPN) capabilities: These forms of firewalls allow distant networks to attach with different distant networks over the Web. When you use each a VPN and a firewall answer, the firewall is ready to filter visitors inside the VPN tunnel.

If the Exchange group accesses exterior networks, it is best to use a firewall to guard the Exchange group. A robust firewall answer must be used to guard back-end Exchange servers. Entrance-end servers often exist within the demilitarized zone (DMZ) or perimeter community.

A fringe community often consists of the next parts:

  • A firewall for shielding the front-end servers from the Web visitors.
  • A firewall between the back-end servers and personal community. This firewall ought to permit communication between back-end servers and particular servers situated on the personal community.
  • Hardened servers for supporting the providers offered by the purposes. Hardened servers may be configured to disable unsafe Web providers.

A fringe community is both a single firewall configuration, or again to again firewall configuration:

  • Single firewall configuration: Right here a single firewall is used with a community interface card (NIC) related to the perimeter community, a NIC related to the Web, and one other NIC related to the personal community. The personal community includes of the group’s community, computer systems and servers that aren’t prolonged to the general public community. That is the easiest firewall configuration technique. As a result of this configuration consists of just one firewall, the personal community is weak when an attacker is ready to bypasses the firewall.
  • Again to again firewalls configuration: Right here, one firewall is utilized to attach the entrance finish of the perimeter community to the Web, and one other firewall is utilized to attach the again finish of the perimeter community to the personal community. This technique offers extra safety to the personal community. Further firewalls might be carried out between the Net tiers within the perimeter community to additional improve safety for the personal community.

You need to use TCP port filtering to safe community purposes and providers. TCP port filtering lets you management the kind of community visitors that reaches your Exchange servers via the restriction of connections to particular TCP ports.

A couple of widespread TCP ports are listed right here:

  • Port 25; Easy Mail Switch Protocol (SMTP)
  • Port 80; Hypertext Switch Protocol (HTTP)
  • Port 88; Kerberos
  • Port 102; Message Switch Agent (MTA)
  • Port 110; Publish Workplace Protocol v3 (POP3)
  • Port 119; Community Information Switch Protocol (NNTP)
  • Port 135; Exchange administration, RPC, shopper server communication
  • Port 143, Web Message Entry Protocol model four (IMAP4)
  • Port 389, Light-weight Listing Software Protocol (LDAP)
  • Port 443, HTTP utilizing Safe Sockets Layer (SSL)
  • Port 563, NNTP utilizing Safe Sockets Layer (SSL)
  • Port 636, LDAP utilizing Safe Sockets Layer (SSL)
  • Port 993, IMAP4 utilizing Safe Sockets Layer (SSL)
  • Port 995, POP3 utilizing Safe Sockets Layer (SSL)
  • Port 3268 – Port 3269; International catalog lookups

MAPI Shopper Connection Across a Firewall

Messaging Software Programming Interface (MAPI) is a specification that gives a standard technique to entry messaging backbones. A Messaging Software Programming Interface (MAPI) based mostly Exchange shopper is a messaging software which communicates with an Exchange Server utilizing MAPI and Exchange transport. A MAPI info service ought to be out there for the messaging spine previous to utilizing a MAPI based mostly shopper. As a result of MAPI defines standardized interfaces at two layers, a shopper interface and repair supplier interface; shopper purposes and knowledge providers could be created. MAPI stays constant whatever the spine and knowledge providers used.

RPC over HTTP makes it potential for distant customers to entry Exchange Server 2003 via Outlook 2003 MAPI shopper over the Web.

To allow RPC over HTTP, the next configuration needs to be carried out on the front-end server for the distant connection:

  • RPC over HTTP Proxy Home windows element has to put in.
  • IIS needs to be configured to help RPC over HTTP communication.

By means of RPC over HTTP, messages despatched by a MAPI shopper are capable of entry the Exchange Server 2003 server via a firewall. When utilizing RPC over HTTP, Outlook customers can join on to an Exchange server over the Web by way of HTTP. Whether or not the Exchange server and Outlook reside on totally different networks, and is behind firewalls is irrelevant. RPC over HTTP offers distant customers with safe communication entry to the Outlook options of the MAPI shopper.

Once you set up and configure RPC over HTTP, the Exchange front-end server turns into a RPC proxy server that defines the ports that the RPC shopper makes use of to hook up with the Exchange servers, international catalog servers and area controllers.

The RPC proxy server could be deployed or situated as follows:

  • Contained in the firewall: If you don’t need to open the ports for the RPC proxy server to hook up with different computer systems, then you’ll be able to configure the RPC proxy server on an Exchange Server 2003 front-end server within the firewall and set up a ISA server within the demilitarized zone (DMZ). The ISA server will then ahead RPC over HTTP requests to the Exchange front-end server.
  • On the demilitarized zone (DMZ): To scale back the variety of ports utilized by the RPC proxy server, you’ll be able to configure the RPC proxy server on an Exchange Server 2003 front-end server within the demilitarized zone (DMZ).

Configuring Exchange Server 2003 to Use RPC Over HTTP

The next steps should be carried out to configure Exchange Server 2003 to make use of RPC over HTTP:

  • Configure the front-end Exchange server because the RPC proxy server.
  • Configure the RPC digital listing in Web Info Providers (IIS) for primary authentication.
  • Configure the registry on the back-end Exchange server to make use of the precise variety of ports. This must be the back-end Exchange server which communicates with the RPC proxy server.
  • Configure the ports as being open on the interior firewall on the Exchange back-end server.
  • Configure the Outlook profile for customers to make the most of RPC over HTTP.

Methods to set up the RPC over HTTP Proxy Home windows element

  1. Go online to the front-end Exchange server.
  2. Open Management Panel.
  3. Click on Add or Take away Packages.
  4. Choose Add/Take away Home windows Elements.
  5. The Home windows Elements dialog field opens.
  6. Choose Community Providers and click on the Particulars button.
  7. The Networking Providers Element dialog field opens.
  8. Choose the RPC over HTTP Proxy.
  9. Click on OK.
  10. Click on Subsequent to put in the RPC over HTTP Proxy Home windows element
  11. Click on End.

The best way to configure the RPC digital listing in Web Info Providers (IIS) for primary authentication

  1. Click on Begin, Administrative Instruments, after which click on Web Info Providers (IIS) Supervisor on the Exchange front-end server.
  2. The IIS Supervisor console opens.
  3. Within the left pane, increase the server node, Web pages, after which Default Net Website.
  4. Proper-click Rpc and choose Properties from the shortcut menu.
  5. The Rpc Properties dialog field opens.
  6. Click on the Listing Providers tab.
  7. Click on Edit.
  8. Uncheck Allow Nameless Entry.
  9. Choose Primary Authentication. Built-in Home windows Authentication is by default chosen.
  10. Click on OK.

Tips on how to configure the registry on the back-end Exchange server to make use of the precise variety of ports

  1. Open the Registry Editor on the Exchange front-end server.
  2. Navigate to the HKEY_LOCAL_MACHINESoftwareMicrosoftRpcRpcProxy registry key.
  3. Proper-click Legitimate Ports after which choose Modify on the shortcut menu.
  4. Within the Edit String window present the suitable Exchange front-end server info.
  5. Shut the Registry Editor on the Exchange front-end server.
  1. Open the Registry Editor on the Exchange back-end server.
  2. Navigate to the HKEY_LOCAL_MACHINESYSTEM CurrentControlSetServicesMSExchangeSAParameters registry key.
  3. Proper-click Rpc/HTTP NSPI Port and then choose Modify on the shortcut menu.
  4. Choose Decimal within the Base window.
  5. Within the Worth Knowledge area, present the suitable info.
  6. Click on OK.
  7. Proper-click HTTP Port and choose Modify from the shortcut menu.
  8. Choose Decimal within the Base window.
  9. Within the Worth Knowledge area, present the suitable info.
  10. Click on OK.
  11. Navigate to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeISParametersSystem registry key.
  12. Proper-click RPC/HTTP Port and choose Modify from the shortcut menu.
  13. Choose Decimal within the Base window.
  14. Within the Worth Knowledge subject, present the suitable info.
  15. Click on OK.
  16. Shut the Registry Editor on the Exchange back-end server.

Methods to configure the Outlook profile for customers to make the most of RPC over HTTP

The next default settings present probably the most safe technique of consumer connection:

  • Join with SSL Solely
  • Mutually Authenticate the Session When Connecting with SSL
  • Password Authentication is NTLM

To configure the Outlook profile for customers to make the most of RPC over HTTP,

  1. On the back-end Exchange server, open Management Panel.
  2. Within the See Additionally pane, choose Management Panel Choices after which Mail.
  3. Click on Present Profiles.
  4. When the Mail dialog field opens, click on Add.
  5. Within the New Profile dialog field, in the Profile Identify field, enter a reputation for the profile that you’re creating.
  6. Choose the Add A New E-Mail Account choice and click on Subsequent.
  7. The Exchange Server Settings dialog field opens.
  8. Enter the Exchange server identify and the account consumer identify.
  9. Click on Examine Names and the press OK.
  10. Click on Extra Settings.
  11. Click on the Connection tab.
  12. Within the Connection space of the tab, choose the Join Utilizing Web Explorer’s Or A third Get together Dialer choice.
  13. Within the Modem space of the Connection tab, choose the Join To My Exchange Mailbox Utilizing HTTP choice.
  14. Click on Exchange Proxy Settings.
  15. Within the Use This URL To Join To My Proxy Server For Exchange field, present the suitable URL info.
  16. Choose the Join Utilizing SSL Solely choice.
  17. Choose the Mutually Authenticate The Session When Connecting With SSL choice.
  18. Within the Principal Identify For Proxy Server field, present the principal identify info.
  19. For a consumer that resides on a quick community, the default connection order may be left unchanged. That is to attach via TCP/IP first after which HTTP.
  20. Fora consumer that resides on a sluggish community, change the default connection order to attach by means of HTTP first after which TCP/IP.
  21. Within the Proxy Authentication Settings space of the Exchange Proxy Settings web page, choose the Primary Authentication choice from the Use This Authentication When Connecting To My Proxy Server For Exchange drop-down listing.
  22. Click on OK.
  23. Click on End.