0
Microsoft Exchange 2000 Server Connectivity Through a Firewall Linden Goffar Microsoft Product Support Professional
Agenda <ul><li>Microsoft ®  Exchange 2000 security basics </li></ul><ul><li>What is a firewall? </li></ul><ul><li>Firewall...
Exchange 2000 Security Basics <ul><li>Stay up-to-date on patches </li></ul><ul><li>Harden your servers (using white papers...
What Is a Firewall? In the Context of This Discussion <ul><li>Port filtering router </li></ul><ul><li>Drops or rejects pac...
Firewall Placement Basic Network Infrastructure Options <ul><li>Brief introduction to front-end, back-end topology </li></...
Brief Discussion on FE-BE <ul><li>What is a front-end (FE) server?  </li></ul><ul><ul><li>Proxies client requests to back-...
Single Firewall / Front-End Server Behind the Firewall Internet or
Perimeter Network or Extranet  Internet
Adding ISA to the Mix Internet or
Clients <ul><li>This is any piece of software that makes an inbound connection to an Exchange 2000 server. </li></ul><ul><...
MAPI Clients Outlook, Outlook Web Access 5.5 Servers <ul><li>End Point Mapper  </li></ul><ul><ul><li>TCP: 135 </li></ul></...
MAPI Clients  (2) Outlook, Outlook Web Access 5.5 Servers <ul><li>Information Store </li></ul><ul><ul><li>TCP Port dynamic...
HTTP/HTTPS Web Browsers <ul><li>HTTP </li></ul><ul><ul><li>TCP: 80 </li></ul></ul><ul><ul><li>Client -> Exchange servers <...
SMTP Clients and External Servers  <ul><li>SMTP </li></ul><ul><ul><li>TCP: 25 </li></ul></ul><ul><ul><li>Client -> Exchang...
POP3 and IMAP Clients <ul><li>POP3 </li></ul><ul><ul><li>TCP: 110 or TCP: 995 POP3 over SSL </li></ul></ul><ul><ul><li>Cli...
FE Exchange 2000 Servers In a Perimeter Network in Front of a Firewall <ul><li>DNS </li></ul><ul><ul><li>TCP/UDP: 53  </li...
FE Exchange 2000 Servers  (2) In a Perimeter Network in Front of a Firewall <ul><li>Kerberos Authentication </li></ul><ul>...
FE Exchange 2000 Servers  (3) In a Perimeter Network in Front of a Firewall <ul><li>Link State Algorithm routing (required...
FE Exchange 2000 Servers  (4) In a Perimeter Network in Front of a Firewall <ul><li>IMAP to back-end servers </li></ul><ul...
FE Exchange 2000 Servers  Pass Through Authentication for OWA <ul><li>Allow only Anonymous Authentication on the front-end...
FE Exchange 2000 Servers  IPSec Between FE and Internal Servers <ul><li>IPSec creates a secure tunnel between FE servers i...
FE Exchange 2000 Servers  (2)   IPSec Between FE and Internal Servers <ul><li>By default, Kerberos TCP/ UDP: 88 is not sec...
Advantages of Using ISA <ul><li>Content filtering </li></ul><ul><li>Application publishing </li></ul><ul><li>MAPI and RPC ...
Outbound Communication <ul><li>TCP/UDP ports  </li></ul><ul><ul><li>All ports (client/source port not configurable) </li><...
References Web Pages <ul><li>http:// windowsupdate.microsoft.com / </li></ul><ul><li>http://www.microsoft.com/security/ </...
References Microsoft Knowledge Base Articles <ul><li>Q311184 , “HOW TO: Perform Security Planning for Internet Information...
<ul><li>Thank you for joining us for today’s Microsoft Support </li></ul><ul><li>WebCast. </li></ul><ul><li>For informatio...
Upcoming SlideShare
Loading in...5
×

Microsoft Exchange 2000 Server Connectivity Through a Firewall

565

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
565
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Microsoft Exchange 2000 Server Connectivity Through a Firewall"

  1. 1. Microsoft Exchange 2000 Server Connectivity Through a Firewall Linden Goffar Microsoft Product Support Professional
  2. 2. Agenda <ul><li>Microsoft ® Exchange 2000 security basics </li></ul><ul><li>What is a firewall? </li></ul><ul><li>Firewall placement, network infrastructure </li></ul><ul><li>Clients and client protocols </li></ul><ul><li>Configuring firewalls for Exchange 2000 connectivity </li></ul>
  3. 3. Exchange 2000 Security Basics <ul><li>Stay up-to-date on patches </li></ul><ul><li>Harden your servers (using white papers, checklists, and tools such as IISLockdown and URLScan) </li></ul><ul><li>Protect your passwords </li></ul><ul><li>Know your access points </li></ul><ul><li>Protect your network </li></ul><ul><li>http:// windowsupdate.microsoft.com / </li></ul><ul><li>http://www.microsoft.com/security/ </li></ul>
  4. 4. What Is a Firewall? In the Context of This Discussion <ul><li>Port filtering router </li></ul><ul><li>Drops or rejects packets based on port, destination address, and source address </li></ul><ul><li>Is this a reasonable definition of a firewall? </li></ul><ul><ul><li>Because we are primarily discussing configuration, yes. </li></ul></ul><ul><ul><li>If this were a full discussion on security, probably not. </li></ul></ul>
  5. 5. Firewall Placement Basic Network Infrastructure Options <ul><li>Brief introduction to front-end, back-end topology </li></ul><ul><li>Single firewall or front-end server behind the firewall </li></ul><ul><li>Perimeter network (also known as demilitarized zone or DMZ) or extranet </li></ul><ul><li>Adding Microsoft Internet Security and Acceleration (ISA) Server to the mix </li></ul>
  6. 6. Brief Discussion on FE-BE <ul><li>What is a front-end (FE) server? </li></ul><ul><ul><li>Proxies client requests to back-end (BE) servers </li></ul></ul><ul><ul><li>Only applies to HTTP, IMAP, and POP3 clients (not MAPI or SMTP) </li></ul></ul><ul><li>Why implement FE-BE? </li></ul><ul><ul><li>Single namespace </li></ul></ul><ul><ul><li>Single access point </li></ul></ul>http://www.microsoft.com/exchange/ techinfo /deployment/2000/E2KFrontBack.asp (Note that the URL should be entered as one line; it is wrapped here for readability.)
  7. 7. Single Firewall / Front-End Server Behind the Firewall Internet or
  8. 8. Perimeter Network or Extranet Internet
  9. 9. Adding ISA to the Mix Internet or
  10. 10. Clients <ul><li>This is any piece of software that makes an inbound connection to an Exchange 2000 server. </li></ul><ul><li>An Exchange 2000 server can also act as a client, when forwarding or relaying SMTP messages outbound or internal. </li></ul>
  11. 11. MAPI Clients Outlook, Outlook Web Access 5.5 Servers <ul><li>End Point Mapper </li></ul><ul><ul><li>TCP: 135 </li></ul></ul><ul><ul><li>Client -> DCs and Exchange servers </li></ul></ul><ul><li>NSPI or Directory Service </li></ul><ul><ul><li>TCP port dynamically assigned (can be statically mapped in the registry) </li></ul></ul><ul><ul><li>Client -> DCs and Exchange servers </li></ul></ul><ul><li>Q305572 , “OL2002: You Cannot Receive New E-mail Notifications in Environments That Use the Network Address Translation” </li></ul><ul><li>Q270836 , “ XCLN: Exchange 2000 Static Port Mappings ” </li></ul>
  12. 12. MAPI Clients (2) Outlook, Outlook Web Access 5.5 Servers <ul><li>Information Store </li></ul><ul><ul><li>TCP Port dynamically assigned (can be statically mapped in the registry) </li></ul></ul><ul><ul><li>Client -> Exchange Mail box and Public Folder Servers </li></ul></ul><ul><li>Outbound UDP (push notification) </li></ul><ul><ul><li>Can configure polling </li></ul></ul><ul><li>Q305572 , “OL2002: You Cannot Receive New E-mail Notifications in Environments That Use the Network Address Translation” </li></ul><ul><li>Q270836 , “ XCLN: Exchange 2000 Static Port Mappings ” </li></ul>
  13. 13. HTTP/HTTPS Web Browsers <ul><li>HTTP </li></ul><ul><ul><li>TCP: 80 </li></ul></ul><ul><ul><li>Client -> Exchange servers </li></ul></ul><ul><li>HTTPS </li></ul><ul><ul><li>TCP: 443 </li></ul></ul><ul><ul><li>Client -> Exchange servers </li></ul></ul>
  14. 14. SMTP Clients and External Servers <ul><li>SMTP </li></ul><ul><ul><li>TCP: 25 </li></ul></ul><ul><ul><li>Client -> Exchange servers </li></ul></ul><ul><ul><li>External SMTP gateways <-> Exchange servers </li></ul></ul>
  15. 15. POP3 and IMAP Clients <ul><li>POP3 </li></ul><ul><ul><li>TCP: 110 or TCP: 995 POP3 over SSL </li></ul></ul><ul><ul><li>Client -> Exchange servers </li></ul></ul><ul><li>IMAP </li></ul><ul><ul><li>TCP: 143 or TCP: 993 IMAP over SSL </li></ul></ul><ul><ul><li>Client -> Exchange servers </li></ul></ul>
  16. 16. FE Exchange 2000 Servers In a Perimeter Network in Front of a Firewall <ul><li>DNS </li></ul><ul><ul><li>TCP/UDP: 53 </li></ul></ul><ul><ul><li>FE -> DNS Servers </li></ul></ul><ul><li>LDAP </li></ul><ul><ul><li>TCP/UDP: 389 TCP 3268 </li></ul></ul><ul><ul><li>FE -> Domain Controllers, Global Catalog Servers </li></ul></ul><ul><li>End Point Mapper (RPC) </li></ul><ul><ul><li>TCP: 135 </li></ul></ul><ul><ul><li>FE -> Domain Controllers, and Exchange BE servers. </li></ul></ul><ul><li>NTDS </li></ul><ul><ul><li>TCP Port dynamically assigned (can be statically mapped in the registry) </li></ul></ul><ul><ul><li>FE -> Domain Controllers, Global Catalog Servers </li></ul></ul>
  17. 17. FE Exchange 2000 Servers (2) In a Perimeter Network in Front of a Firewall <ul><li>Kerberos Authentication </li></ul><ul><ul><li>TCP/UDP: 88 </li></ul></ul><ul><ul><li>FE -> Domain Controllers </li></ul></ul><ul><li>Server message block (SMB) for Netlogon </li></ul><ul><ul><li>TCP: 445 </li></ul></ul><ul><ul><li>FE -> Domain Controllers </li></ul></ul><ul><li>NTP (not a requirement) </li></ul><ul><ul><li>TCP: 123 </li></ul></ul><ul><ul><li>FE -> Time Server </li></ul></ul>
  18. 18. FE Exchange 2000 Servers (3) In a Perimeter Network in Front of a Firewall <ul><li>Link State Algorithm routing (required for SMTP) </li></ul><ul><ul><li>TCP: 691 </li></ul></ul><ul><ul><li>FE -> Other Exchange servers </li></ul></ul><ul><li>HTTP to back-end servers </li></ul><ul><ul><li>TCP: 80 </li></ul></ul><ul><ul><li>FE -> BE Servers </li></ul></ul><ul><li>POP3 to back-end servers </li></ul><ul><ul><li>TCP: 110 </li></ul></ul><ul><ul><li>FE -> back-end servers </li></ul></ul><ul><li>Q280132 , “XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls” </li></ul>
  19. 19. FE Exchange 2000 Servers (4) In a Perimeter Network in Front of a Firewall <ul><li>IMAP to back-end servers </li></ul><ul><ul><li>TCP: 143 or TCP: 993 IMAP over SSL </li></ul></ul><ul><ul><li>FE -> back-end servers </li></ul></ul><ul><li>SMTP </li></ul><ul><ul><li>TCP: 25 </li></ul></ul><ul><ul><li>FE <-> Other Exchange servers </li></ul></ul><ul><li>Q280132 , “XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls” </li></ul>
  20. 20. FE Exchange 2000 Servers Pass Through Authentication for OWA <ul><li>Allow only Anonymous Authentication on the front-end HTTP virtual directories </li></ul><ul><li>Advantages: </li></ul><ul><ul><li>Does not require RPC ports for authentication </li></ul></ul><ul><ul><li>Allows for somewhat tighter firewall rules </li></ul></ul><ul><li>Disadvantages: </li></ul><ul><ul><li>Implicit logon does not work </li></ul></ul><ul><ul><ul><li>User must supply username when logging on https://< servername >/exchange/< username > </li></ul></ul></ul><ul><ul><ul><li>Can not use https://< servername >/exchange </li></ul></ul></ul><ul><ul><li>No load balancing of public folder servers </li></ul></ul><ul><ul><li>Server setup and configuration must be performed on internal LAN </li></ul></ul>
  21. 21. FE Exchange 2000 Servers IPSec Between FE and Internal Servers <ul><li>IPSec creates a secure tunnel between FE servers in a perimeter network and Internal Servers. </li></ul><ul><li>The following ports must be open between FE servers and each applicable Internal Server </li></ul><ul><ul><li>TCP: 50 </li></ul></ul><ul><ul><li>TCP: 51 </li></ul></ul><ul><ul><li>UDP 500 </li></ul></ul><ul><ul><li>Q233256 , “How to Enable IPSec Traffic Through a Firewall” </li></ul></ul>
  22. 22. FE Exchange 2000 Servers (2) IPSec Between FE and Internal Servers <ul><li>By default, Kerberos TCP/ UDP: 88 is not secured by IPSec, however this can be enabled </li></ul><ul><ul><li>Q254728 , “IPSec Does Not Secure Kerberos Traffic Between Domain Controllers” </li></ul></ul><ul><li>Secures data such as HTTP which is otherwise open for sniffing to an attacker on the perimeter network. </li></ul><ul><ul><li>Q233256 , “How to Enable IPSec Traffic Through a Firewall” </li></ul></ul>
  23. 23. Advantages of Using ISA <ul><li>Content filtering </li></ul><ul><li>Application publishing </li></ul><ul><li>MAPI and RPC publishing benefits </li></ul><ul><ul><li>Verifies requests are for a valid UUID </li></ul></ul><ul><ul><li>Opens RPC ports dynamically for valid requests </li></ul></ul><ul><ul><li>Custom content filtering options available </li></ul></ul>
  24. 24. Outbound Communication <ul><li>TCP/UDP ports </li></ul><ul><ul><li>All ports (client/source port not configurable) </li></ul></ul><ul><ul><li>How do I secure outbound communications? </li></ul></ul><ul><ul><ul><li>Block all ports not associated with a TCP session </li></ul></ul></ul><ul><ul><ul><li>Application layer filtering </li></ul></ul></ul><ul><ul><ul><li>Forward Proxy (ISA) </li></ul></ul></ul><ul><li>What protocols must I allow outbound? </li></ul><ul><ul><li>Exchange servers: SMTP and DNS </li></ul></ul><ul><ul><li>Domain controllers: None </li></ul></ul><ul><ul><li>Internal clients: HTTP, IM, FTP, and so on </li></ul></ul>
  25. 25. References Web Pages <ul><li>http:// windowsupdate.microsoft.com / </li></ul><ul><li>http://www.microsoft.com/security/ </li></ul><ul><li>Exchange 2000 Front-End and Back-End Topology http://www.microsoft.com/exchange/ techinfo /deployment/2000/E2KFrontBack.asp </li></ul><ul><li>Configuring and Securing Microsoft Exchange 2000 Server and Clients http://www.microsoft.com/ isaserver/techinfo /deployment/ ISAandExchange.asp </li></ul><ul><ul><li>(Note that the URLs should be entered as one line; they are wrapped here for readability.) </li></ul></ul>
  26. 26. References Microsoft Knowledge Base Articles <ul><li>Q311184 , “HOW TO: Perform Security Planning for Internet Information Services 5.0” </li></ul><ul><li>Q161990 , “How to Enable Strong Password Functionality in Windows NT” </li></ul><ul><li>Q280132 , “XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls” </li></ul>
  27. 27. <ul><li>Thank you for joining us for today’s Microsoft Support </li></ul><ul><li>WebCast. </li></ul><ul><li>For information about all upcoming Support WebCasts </li></ul><ul><li>and access to the archived content (streaming media </li></ul><ul><li>files, PowerPoint ® slides, and transcripts), please visit: </li></ul><ul><li>http:// support.microsoft.com/webcasts / </li></ul><ul><li>We sincerely appreciate your feedback. Please send any </li></ul><ul><li>comments or suggestions about the Support WebCasts </li></ul><ul><li>to [email_address] . </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×