Post on 30-Jun-2015
Microsoft Exchange 2000 Microsoft Exchange 2000 Server Connectivity Server Connectivity Through a FirewallThrough a Firewall
Linden GoffarLinden GoffarMicrosoft Product Support ProfessionalMicrosoft Product Support Professional
2
AgendaAgenda
MicrosoftMicrosoft®® Exchange 2000 security basics Exchange 2000 security basics What is a firewall?What is a firewall? Firewall placement, network infrastructureFirewall placement, network infrastructure Clients and client protocolsClients and client protocols Configuring firewalls for Exchange 2000 Configuring firewalls for Exchange 2000
connectivityconnectivity
3
Exchange 2000 Security BasicsExchange 2000 Security Basics
Stay up-to-date on patchesStay up-to-date on patches Harden your servers (using white papers, Harden your servers (using white papers,
checklists, and tools such as IISLockdown checklists, and tools such as IISLockdown and URLScan)and URLScan)
Protect your passwordsProtect your passwords Know your access pointsKnow your access points Protect your networkProtect your network
• http://windowsupdate.microsoft.com/
• http://www.microsoft.com/security/
4
What Is a Firewall?What Is a Firewall?In the Context of This DiscussionIn the Context of This Discussion
Port filtering routerPort filtering router Drops or rejects packets based on port, Drops or rejects packets based on port,
destination address, and source addressdestination address, and source address Is this a reasonable definition of a firewall?Is this a reasonable definition of a firewall?
Because we are primarily discussing Because we are primarily discussing configuration, yes. configuration, yes.
If this were a full discussion on security, probably If this were a full discussion on security, probably not.not.
5
Firewall PlacementFirewall PlacementBasic Network Infrastructure OptionsBasic Network Infrastructure Options
Brief introduction to front-end, back-end Brief introduction to front-end, back-end topologytopology
Single firewall or front-end server behind the Single firewall or front-end server behind the firewallfirewall
Perimeter network (also known as Perimeter network (also known as demilitarized zone or DMZ) or extranet demilitarized zone or DMZ) or extranet
Adding Microsoft Internet Security and Adding Microsoft Internet Security and Acceleration (ISA) Server to the mixAcceleration (ISA) Server to the mix
6
Brief Discussion on FE-BEBrief Discussion on FE-BE
What is a front-end (FE) server? What is a front-end (FE) server? Proxies client requests to back-end (BE) serversProxies client requests to back-end (BE) servers Only applies to HTTP, IMAP, and POP3 clients Only applies to HTTP, IMAP, and POP3 clients
(not MAPI or SMTP)(not MAPI or SMTP)
Why implement FE-BE?Why implement FE-BE? Single namespaceSingle namespace Single access pointSingle access point
http://www.microsoft.com/exchange/techinfo/deploymenthttp://www.microsoft.com/exchange/techinfo/deployment/2000/E2KFrontBack.asp/2000/E2KFrontBack.asp
(Note that the URL should be entered as one line; it is wrapped here for readability.)(Note that the URL should be entered as one line; it is wrapped here for readability.)
7
Firewall
InternetInternet
Firewall
Single Firewall / Front-End Server Single Firewall / Front-End Server Behind the FirewallBehind the Firewall
HTTP,IMAPor Pop3Client
Exchange 2000Front-End
Server
Exchange 2000Back-End
Server
Exchange 2000Back-End
Server
Active DirectoryGlobal Catalog
Servers
Firewall
or
8
Active DirectoryGlobal Catalog
Servers
Firewall
Perimeter Network or Extranet Perimeter Network or Extranet
Internet
Internet
Firewall
HTTP,IMAPor Pop3Client
Exchange 2000Front-End
Server
Exchange 2000Back-End
Server
Exchange 2000Back-End
Server
9
Internet Securityand Accelleration Server
(ISA)
Active DirectoryGlobal Catalog
Servers
Adding ISA to the MixAdding ISA to the Mix
Firewall
Internet
Internet
Firewall
HTTP,IMAPor Pop3Client
Exchange 2000Front-End
Server
Exchange 2000Back-End
Server
Exchange 2000Back-End
Server
ISA ISA
or
10
ClientsClients
This is any piece of software that makes an This is any piece of software that makes an inbound connection to an Exchange 2000 inbound connection to an Exchange 2000 server.server.
An Exchange 2000 server can also act as a An Exchange 2000 server can also act as a client, when forwarding or relaying SMTP client, when forwarding or relaying SMTP messages outbound or internal.messages outbound or internal.
11
MAPI ClientsMAPI ClientsOutlook, Outlook Web Access 5.5 ServersOutlook, Outlook Web Access 5.5 Servers
End Point Mapper End Point Mapper TCP: 135TCP: 135 Client -> DCs and Exchange serversClient -> DCs and Exchange servers
NSPI or Directory ServiceNSPI or Directory Service TCP port dynamically assigned (can be statically TCP port dynamically assigned (can be statically
mapped in the registry)mapped in the registry) Client -> DCs and Exchange serversClient -> DCs and Exchange servers
Q305572Q305572, “OL2002: You Cannot Receive New E-mail Notifications in , “OL2002: You Cannot Receive New E-mail Notifications in Environments That Use the Network Address Translation”Environments That Use the Network Address Translation”
Q270836Q270836, , ““XCLN: Exchange 2000 Static Port MappingsXCLN: Exchange 2000 Static Port Mappings””
12
MAPI ClientsMAPI Clients (2) (2)Outlook, Outlook Web Access 5.5 ServersOutlook, Outlook Web Access 5.5 Servers
Information StoreInformation Store TCP Port dynamically assigned (can be statically TCP Port dynamically assigned (can be statically
mapped in the registry)mapped in the registry) Client -> Exchange Mail box and Public Folder Client -> Exchange Mail box and Public Folder
ServersServers
Outbound UDP (push notification)Outbound UDP (push notification) Can configure pollingCan configure polling
Q305572Q305572, “OL2002: You Cannot Receive New E-mail Notifications in , “OL2002: You Cannot Receive New E-mail Notifications in Environments That Use the Network Address Translation”Environments That Use the Network Address Translation”
Q270836Q270836, , ““XCLN: Exchange 2000 Static Port MappingsXCLN: Exchange 2000 Static Port Mappings””
13
HTTP/HTTPSHTTP/HTTPSWeb BrowsersWeb Browsers
HTTPHTTP TCP: 80TCP: 80 Client -> Exchange serversClient -> Exchange servers
HTTPS HTTPS TCP: 443TCP: 443 Client -> Exchange serversClient -> Exchange servers
14
SMTP Clients and External Servers SMTP Clients and External Servers
SMTPSMTP TCP: 25TCP: 25 Client -> Exchange serversClient -> Exchange servers External SMTP gateways <-> Exchange serversExternal SMTP gateways <-> Exchange servers
15
POP3 and IMAP ClientsPOP3 and IMAP Clients
POP3POP3 TCP: 110 or TCP: 995 POP3 over SSLTCP: 110 or TCP: 995 POP3 over SSL Client -> Exchange serversClient -> Exchange servers
IMAP IMAP TCP: 143 or TCP: 993 IMAP over SSLTCP: 143 or TCP: 993 IMAP over SSL Client -> Exchange serversClient -> Exchange servers
16
FE Exchange 2000 ServersFE Exchange 2000 ServersIn a Perimeter Network in Front of a FirewallIn a Perimeter Network in Front of a Firewall DNSDNS
TCP/UDP: 53 TCP/UDP: 53 FE -> DNS ServersFE -> DNS Servers
LDAPLDAP TCP/UDP: 389 TCP 3268 TCP/UDP: 389 TCP 3268 FE -> Domain Controllers, Global Catalog ServersFE -> Domain Controllers, Global Catalog Servers
End Point Mapper (RPC)End Point Mapper (RPC) TCP: 135TCP: 135 FE -> Domain Controllers, and Exchange BE servers.FE -> Domain Controllers, and Exchange BE servers.
NTDS NTDS TCP Port dynamically assigned (can be statically mapped in TCP Port dynamically assigned (can be statically mapped in
the registry)the registry) FE -> Domain Controllers, Global Catalog ServersFE -> Domain Controllers, Global Catalog Servers
17
FE Exchange 2000 Servers FE Exchange 2000 Servers (2)(2)In a Perimeter Network in Front of a FirewallIn a Perimeter Network in Front of a Firewall Kerberos AuthenticationKerberos Authentication
TCP/UDP: 88 TCP/UDP: 88 FE -> Domain ControllersFE -> Domain Controllers
Server message block (SMB) for NetlogonServer message block (SMB) for Netlogon TCP: 445TCP: 445 FE -> Domain ControllersFE -> Domain Controllers
NTP (not a requirement)NTP (not a requirement) TCP: 123TCP: 123 FE -> Time ServerFE -> Time Server
18
FE Exchange 2000 Servers FE Exchange 2000 Servers (3)(3)In a Perimeter Network in Front of a FirewallIn a Perimeter Network in Front of a Firewall Link State Algorithm routing (required for SMTP) Link State Algorithm routing (required for SMTP)
TCP: 691TCP: 691 FE -> Other Exchange serversFE -> Other Exchange servers
HTTP to back-end serversHTTP to back-end servers TCP: 80 TCP: 80 FE -> BE ServersFE -> BE Servers
POP3 to back-end serversPOP3 to back-end servers TCP: 110TCP: 110 FE -> back-end serversFE -> back-end servers
Q280132Q280132, “XCCC: Exchange 2000 Windows 2000 Connectivity Through , “XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls”Firewalls”
19
FE Exchange 2000 Servers FE Exchange 2000 Servers (4)(4)In a Perimeter Network in Front of a FirewallIn a Perimeter Network in Front of a Firewall
IMAP to back-end serversIMAP to back-end servers TCP: 143 or TCP: 993 IMAP over SSLTCP: 143 or TCP: 993 IMAP over SSL FE -> back-end serversFE -> back-end servers
SMTP SMTP TCP: 25TCP: 25 FE <-> Other Exchange serversFE <-> Other Exchange servers
Q280132Q280132, “XCCC: Exchange 2000 Windows 2000 Connectivity Through , “XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls”Firewalls”
20
FE Exchange 2000 Servers FE Exchange 2000 Servers Pass Through Authentication for OWAPass Through Authentication for OWA
Allow only Anonymous Authentication on the front-Allow only Anonymous Authentication on the front-end HTTP virtual directoriesend HTTP virtual directories
Advantages:Advantages: Does not require RPC ports for authenticationDoes not require RPC ports for authentication Allows for somewhat tighter firewall rulesAllows for somewhat tighter firewall rules
Disadvantages:Disadvantages: Implicit logon does not workImplicit logon does not work
User must supply username when logging onUser must supply username when logging onhttps://<https://<servernameservername>/exchange/<>/exchange/<usernameusername>>
Can not useCan not use https://<https://<servernameservername>/exchange>/exchange
No load balancing of public folder serversNo load balancing of public folder servers Server setup and configuration must be performed on Server setup and configuration must be performed on
internal LANinternal LAN
21
FE Exchange 2000 Servers FE Exchange 2000 Servers IPSec Between FE and Internal ServersIPSec Between FE and Internal Servers
IPSec creates a secure tunnel between FE IPSec creates a secure tunnel between FE servers in a perimeter network and Internal servers in a perimeter network and Internal Servers. Servers.
The following ports must be open between FE The following ports must be open between FE servers and each applicable Internal Serverservers and each applicable Internal Server TCP: 50TCP: 50 TCP: 51TCP: 51 UDP 500 UDP 500
Q233256, “How to Enable IPSec Traffic Through Q233256, “How to Enable IPSec Traffic Through a Firewall”a Firewall”
22
FE Exchange 2000 Servers FE Exchange 2000 Servers (2)(2) IPSec Between FE and Internal ServersIPSec Between FE and Internal Servers
By default, Kerberos TCP/ UDP: 88 is not By default, Kerberos TCP/ UDP: 88 is not secured by IPSec, however this can be secured by IPSec, however this can be enabledenabled Q254728, “IPSec Does Not Secure Kerberos Q254728, “IPSec Does Not Secure Kerberos
Traffic Between Domain Controllers”Traffic Between Domain Controllers”
Secures data such as HTTP which is Secures data such as HTTP which is otherwise open for sniffing to an attacker on otherwise open for sniffing to an attacker on the perimeter network.the perimeter network.
Q233256, “How to Enable IPSec Traffic Through Q233256, “How to Enable IPSec Traffic Through a Firewall”a Firewall”
23
Advantages of Using ISAAdvantages of Using ISA
Content filteringContent filtering Application publishingApplication publishing MAPI and RPC publishing benefitsMAPI and RPC publishing benefits
Verifies requests are for a valid UUIDVerifies requests are for a valid UUID Opens RPC ports dynamically for valid requestsOpens RPC ports dynamically for valid requests Custom content filtering options availableCustom content filtering options available
24
Outbound CommunicationOutbound Communication
TCP/UDP ports TCP/UDP ports All ports (client/source port not configurable)All ports (client/source port not configurable) How do I secure outbound communications?How do I secure outbound communications?
Block all ports not associated with a TCP Block all ports not associated with a TCP sessionsession
Application layer filteringApplication layer filtering Forward Proxy (ISA)Forward Proxy (ISA)
What protocols must I allow outbound?What protocols must I allow outbound? Exchange servers: Exchange servers: SMTP SMTP and and DNSDNS Domain controllers: NoneDomain controllers: None Internal clients: HTTP, IM, FTP, and so on Internal clients: HTTP, IM, FTP, and so on
25
ReferencesReferencesWeb PagesWeb Pages
http://windowsupdate.microsoft.com/http://windowsupdate.microsoft.com/ http://www.microsoft.com/security/http://www.microsoft.com/security/ Exchange 2000 Front-End and Back-End Exchange 2000 Front-End and Back-End
TopologyTopologyhttp://www.microsoft.com/exchange/techinfohttp://www.microsoft.com/exchange/techinfo/deployment/2000/E2KFrontBack.asp/deployment/2000/E2KFrontBack.asp
Configuring and Securing Microsoft Configuring and Securing Microsoft Exchange 2000 Server and ClientsExchange 2000 Server and Clientshttp://www.microsoft.com/isaserver/techinfohttp://www.microsoft.com/isaserver/techinfo/deployment/ISAandExchange.asp/deployment/ISAandExchange.asp(Note that the URLs should be entered as one line; they are wrapped here for readability.)(Note that the URLs should be entered as one line; they are wrapped here for readability.)
26
ReferencesReferencesMicrosoft Knowledge Base ArticlesMicrosoft Knowledge Base Articles
Q311184, “HOW TO: Perform Security Q311184, “HOW TO: Perform Security Planning for Internet Information Services 5.0”Planning for Internet Information Services 5.0”
Q161990, “How to Enable Strong Password Q161990, “How to Enable Strong Password Functionality in Windows NT”Functionality in Windows NT”
Q280132, “XCCC: Exchange 2000 Windows Q280132, “XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls”2000 Connectivity Through Firewalls”
Thank you for joining us for today’s Microsoft SupportThank you for joining us for today’s Microsoft Support
WebCast.WebCast.
For information about all upcoming Support WebCasts For information about all upcoming Support WebCasts
and access to the archived content (streaming mediaand access to the archived content (streaming media
files, PowerPointfiles, PowerPoint®® slides, and transcripts), please visit: slides, and transcripts), please visit:
http://http://support.microsoft.com/webcastssupport.microsoft.com/webcasts//
We sincerely appreciate your feedback. Please send any We sincerely appreciate your feedback. Please send any
comments or suggestions about the Support WebCastscomments or suggestions about the Support WebCasts
to to supweb@microsoft.comsupweb@microsoft.com. .