Microsoft Exchange 2000 Server Connectivity Through a Firewall
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
786
On Slideshare
783
From Embeds
3
Number of Embeds
1

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 3

http://www.slideshare.net 3

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Microsoft Exchange 2000 Server Connectivity Through a Firewall Linden Goffar Microsoft Product Support Professional
  • 2. Agenda
    • Microsoft ® Exchange 2000 security basics
    • What is a firewall?
    • Firewall placement, network infrastructure
    • Clients and client protocols
    • Configuring firewalls for Exchange 2000 connectivity
  • 3. Exchange 2000 Security Basics
    • Stay up-to-date on patches
    • Harden your servers (using white papers, checklists, and tools such as IISLockdown and URLScan)
    • Protect your passwords
    • Know your access points
    • Protect your network
    • http:// windowsupdate.microsoft.com /
    • http://www.microsoft.com/security/
  • 4. What Is a Firewall? In the Context of This Discussion
    • Port filtering router
    • Drops or rejects packets based on port, destination address, and source address
    • Is this a reasonable definition of a firewall?
      • Because we are primarily discussing configuration, yes.
      • If this were a full discussion on security, probably not.
  • 5. Firewall Placement Basic Network Infrastructure Options
    • Brief introduction to front-end, back-end topology
    • Single firewall or front-end server behind the firewall
    • Perimeter network (also known as demilitarized zone or DMZ) or extranet
    • Adding Microsoft Internet Security and Acceleration (ISA) Server to the mix
  • 6. Brief Discussion on FE-BE
    • What is a front-end (FE) server?
      • Proxies client requests to back-end (BE) servers
      • Only applies to HTTP, IMAP, and POP3 clients (not MAPI or SMTP)
    • Why implement FE-BE?
      • Single namespace
      • Single access point
    http://www.microsoft.com/exchange/ techinfo /deployment/2000/E2KFrontBack.asp (Note that the URL should be entered as one line; it is wrapped here for readability.)
  • 7. Single Firewall / Front-End Server Behind the Firewall Internet or
  • 8. Perimeter Network or Extranet Internet
  • 9. Adding ISA to the Mix Internet or
  • 10. Clients
    • This is any piece of software that makes an inbound connection to an Exchange 2000 server.
    • An Exchange 2000 server can also act as a client, when forwarding or relaying SMTP messages outbound or internal.
  • 11. MAPI Clients Outlook, Outlook Web Access 5.5 Servers
    • End Point Mapper
      • TCP: 135
      • Client -> DCs and Exchange servers
    • NSPI or Directory Service
      • TCP port dynamically assigned (can be statically mapped in the registry)
      • Client -> DCs and Exchange servers
    • Q305572 , “OL2002: You Cannot Receive New E-mail Notifications in Environments That Use the Network Address Translation”
    • Q270836 , “ XCLN: Exchange 2000 Static Port Mappings ”
  • 12. MAPI Clients (2) Outlook, Outlook Web Access 5.5 Servers
    • Information Store
      • TCP Port dynamically assigned (can be statically mapped in the registry)
      • Client -> Exchange Mail box and Public Folder Servers
    • Outbound UDP (push notification)
      • Can configure polling
    • Q305572 , “OL2002: You Cannot Receive New E-mail Notifications in Environments That Use the Network Address Translation”
    • Q270836 , “ XCLN: Exchange 2000 Static Port Mappings ”
  • 13. HTTP/HTTPS Web Browsers
    • HTTP
      • TCP: 80
      • Client -> Exchange servers
    • HTTPS
      • TCP: 443
      • Client -> Exchange servers
  • 14. SMTP Clients and External Servers
    • SMTP
      • TCP: 25
      • Client -> Exchange servers
      • External SMTP gateways <-> Exchange servers
  • 15. POP3 and IMAP Clients
    • POP3
      • TCP: 110 or TCP: 995 POP3 over SSL
      • Client -> Exchange servers
    • IMAP
      • TCP: 143 or TCP: 993 IMAP over SSL
      • Client -> Exchange servers
  • 16. FE Exchange 2000 Servers In a Perimeter Network in Front of a Firewall
    • DNS
      • TCP/UDP: 53
      • FE -> DNS Servers
    • LDAP
      • TCP/UDP: 389 TCP 3268
      • FE -> Domain Controllers, Global Catalog Servers
    • End Point Mapper (RPC)
      • TCP: 135
      • FE -> Domain Controllers, and Exchange BE servers.
    • NTDS
      • TCP Port dynamically assigned (can be statically mapped in the registry)
      • FE -> Domain Controllers, Global Catalog Servers
  • 17. FE Exchange 2000 Servers (2) In a Perimeter Network in Front of a Firewall
    • Kerberos Authentication
      • TCP/UDP: 88
      • FE -> Domain Controllers
    • Server message block (SMB) for Netlogon
      • TCP: 445
      • FE -> Domain Controllers
    • NTP (not a requirement)
      • TCP: 123
      • FE -> Time Server
  • 18. FE Exchange 2000 Servers (3) In a Perimeter Network in Front of a Firewall
    • Link State Algorithm routing (required for SMTP)
      • TCP: 691
      • FE -> Other Exchange servers
    • HTTP to back-end servers
      • TCP: 80
      • FE -> BE Servers
    • POP3 to back-end servers
      • TCP: 110
      • FE -> back-end servers
    • Q280132 , “XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls”
  • 19. FE Exchange 2000 Servers (4) In a Perimeter Network in Front of a Firewall
    • IMAP to back-end servers
      • TCP: 143 or TCP: 993 IMAP over SSL
      • FE -> back-end servers
    • SMTP
      • TCP: 25
      • FE <-> Other Exchange servers
    • Q280132 , “XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls”
  • 20. FE Exchange 2000 Servers Pass Through Authentication for OWA
    • Allow only Anonymous Authentication on the front-end HTTP virtual directories
    • Advantages:
      • Does not require RPC ports for authentication
      • Allows for somewhat tighter firewall rules
    • Disadvantages:
      • Implicit logon does not work
        • User must supply username when logging on https://< servername >/exchange/< username >
        • Can not use https://< servername >/exchange
      • No load balancing of public folder servers
      • Server setup and configuration must be performed on internal LAN
  • 21. FE Exchange 2000 Servers IPSec Between FE and Internal Servers
    • IPSec creates a secure tunnel between FE servers in a perimeter network and Internal Servers.
    • The following ports must be open between FE servers and each applicable Internal Server
      • TCP: 50
      • TCP: 51
      • UDP 500
      • Q233256 , “How to Enable IPSec Traffic Through a Firewall”
  • 22. FE Exchange 2000 Servers (2) IPSec Between FE and Internal Servers
    • By default, Kerberos TCP/ UDP: 88 is not secured by IPSec, however this can be enabled
      • Q254728 , “IPSec Does Not Secure Kerberos Traffic Between Domain Controllers”
    • Secures data such as HTTP which is otherwise open for sniffing to an attacker on the perimeter network.
      • Q233256 , “How to Enable IPSec Traffic Through a Firewall”
  • 23. Advantages of Using ISA
    • Content filtering
    • Application publishing
    • MAPI and RPC publishing benefits
      • Verifies requests are for a valid UUID
      • Opens RPC ports dynamically for valid requests
      • Custom content filtering options available
  • 24. Outbound Communication
    • TCP/UDP ports
      • All ports (client/source port not configurable)
      • How do I secure outbound communications?
        • Block all ports not associated with a TCP session
        • Application layer filtering
        • Forward Proxy (ISA)
    • What protocols must I allow outbound?
      • Exchange servers: SMTP and DNS
      • Domain controllers: None
      • Internal clients: HTTP, IM, FTP, and so on
  • 25. References Web Pages
    • http:// windowsupdate.microsoft.com /
    • http://www.microsoft.com/security/
    • Exchange 2000 Front-End and Back-End Topology http://www.microsoft.com/exchange/ techinfo /deployment/2000/E2KFrontBack.asp
    • Configuring and Securing Microsoft Exchange 2000 Server and Clients http://www.microsoft.com/ isaserver/techinfo /deployment/ ISAandExchange.asp
      • (Note that the URLs should be entered as one line; they are wrapped here for readability.)
  • 26. References Microsoft Knowledge Base Articles
    • Q311184 , “HOW TO: Perform Security Planning for Internet Information Services 5.0”
    • Q161990 , “How to Enable Strong Password Functionality in Windows NT”
    • Q280132 , “XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls”
  • 27.
    • Thank you for joining us for today’s Microsoft Support
    • WebCast.
    • For information about all upcoming Support WebCasts
    • and access to the archived content (streaming media
    • files, PowerPoint ® slides, and transcripts), please visit:
    • http:// support.microsoft.com/webcasts /
    • We sincerely appreciate your feedback. Please send any
    • comments or suggestions about the Support WebCasts
    • to [email_address] .