Microsoft Exchange 2000 Microsoft Exchange 2000 Server Connectivity Server Connectivity Through a FirewallThrough a Firewall

Linden GoffarLinden GoffarMicrosoft Product Support ProfessionalMicrosoft Product Support Professional

2

AgendaAgenda

MicrosoftMicrosoft®® Exchange 2000 security basics Exchange 2000 security basics What is a firewall?What is a firewall? Firewall placement, network infrastructureFirewall placement, network infrastructure Clients and client protocolsClients and client protocols Configuring firewalls for Exchange 2000 Configuring firewalls for Exchange 2000

connectivityconnectivity

3

Exchange 2000 Security BasicsExchange 2000 Security Basics

Stay up-to-date on patchesStay up-to-date on patches Harden your servers (using white papers, Harden your servers (using white papers,

checklists, and tools such as IISLockdown checklists, and tools such as IISLockdown and URLScan)and URLScan)

Protect your passwordsProtect your passwords Know your access pointsKnow your access points Protect your networkProtect your network

• http://windowsupdate.microsoft.com/

• http://www.microsoft.com/security/

4

What Is a Firewall?What Is a Firewall?In the Context of This DiscussionIn the Context of This Discussion

Port filtering routerPort filtering router Drops or rejects packets based on port, Drops or rejects packets based on port,

destination address, and source addressdestination address, and source address Is this a reasonable definition of a firewall?Is this a reasonable definition of a firewall?

Because we are primarily discussing Because we are primarily discussing configuration, yes. configuration, yes.

If this were a full discussion on security, probably If this were a full discussion on security, probably not.not.

5

Firewall PlacementFirewall PlacementBasic Network Infrastructure OptionsBasic Network Infrastructure Options

Brief introduction to front-end, back-end Brief introduction to front-end, back-end topologytopology

Single firewall or front-end server behind the Single firewall or front-end server behind the firewallfirewall

Perimeter network (also known as Perimeter network (also known as demilitarized zone or DMZ) or extranet demilitarized zone or DMZ) or extranet

Adding Microsoft Internet Security and Adding Microsoft Internet Security and Acceleration (ISA) Server to the mixAcceleration (ISA) Server to the mix

6

Brief Discussion on FE-BEBrief Discussion on FE-BE

What is a front-end (FE) server? What is a front-end (FE) server? Proxies client requests to back-end (BE) serversProxies client requests to back-end (BE) servers Only applies to HTTP, IMAP, and POP3 clients Only applies to HTTP, IMAP, and POP3 clients

(not MAPI or SMTP)(not MAPI or SMTP)

Why implement FE-BE?Why implement FE-BE? Single namespaceSingle namespace Single access pointSingle access point

http://www.microsoft.com/exchange/techinfo/deploymenthttp://www.microsoft.com/exchange/techinfo/deployment/2000/E2KFrontBack.asp/2000/E2KFrontBack.asp

(Note that the URL should be entered as one line; it is wrapped here for readability.)(Note that the URL should be entered as one line; it is wrapped here for readability.)

7

Firewall

InternetInternet

Firewall

Single Firewall / Front-End Server Single Firewall / Front-End Server Behind the FirewallBehind the Firewall

HTTP,IMAPor Pop3Client

Exchange 2000Front-End

Server

Exchange 2000Back-End

Server

Exchange 2000Back-End

Server

Active DirectoryGlobal Catalog

Servers

Firewall

or

8

Active DirectoryGlobal Catalog

Servers

Firewall

Perimeter Network or Extranet Perimeter Network or Extranet

Internet

Internet

Firewall

HTTP,IMAPor Pop3Client

Exchange 2000Front-End

Server

Exchange 2000Back-End

Server

Exchange 2000Back-End

Server

9

Internet Securityand Accelleration Server

(ISA)

Active DirectoryGlobal Catalog

Servers

Adding ISA to the MixAdding ISA to the Mix

Firewall

Internet

Internet

Firewall

HTTP,IMAPor Pop3Client

Exchange 2000Front-End

Server

Exchange 2000Back-End

Server

Exchange 2000Back-End

Server

ISA ISA

or

10

ClientsClients

This is any piece of software that makes an This is any piece of software that makes an inbound connection to an Exchange 2000 inbound connection to an Exchange 2000 server.server.

An Exchange 2000 server can also act as a An Exchange 2000 server can also act as a client, when forwarding or relaying SMTP client, when forwarding or relaying SMTP messages outbound or internal.messages outbound or internal.

11

MAPI ClientsMAPI ClientsOutlook, Outlook Web Access 5.5 ServersOutlook, Outlook Web Access 5.5 Servers

End Point Mapper End Point Mapper TCP: 135TCP: 135 Client -> DCs and Exchange serversClient -> DCs and Exchange servers

NSPI or Directory ServiceNSPI or Directory Service TCP port dynamically assigned (can be statically TCP port dynamically assigned (can be statically

mapped in the registry)mapped in the registry) Client -> DCs and Exchange serversClient -> DCs and Exchange servers

Q305572Q305572, “OL2002: You Cannot Receive New E-mail Notifications in , “OL2002: You Cannot Receive New E-mail Notifications in Environments That Use the Network Address Translation”Environments That Use the Network Address Translation”

Q270836Q270836, , ““XCLN: Exchange 2000 Static Port MappingsXCLN: Exchange 2000 Static Port Mappings””

12

MAPI ClientsMAPI Clients (2) (2)Outlook, Outlook Web Access 5.5 ServersOutlook, Outlook Web Access 5.5 Servers

Information StoreInformation Store TCP Port dynamically assigned (can be statically TCP Port dynamically assigned (can be statically

mapped in the registry)mapped in the registry) Client -> Exchange Mail box and Public Folder Client -> Exchange Mail box and Public Folder

ServersServers

Outbound UDP (push notification)Outbound UDP (push notification) Can configure pollingCan configure polling

Q305572Q305572, “OL2002: You Cannot Receive New E-mail Notifications in , “OL2002: You Cannot Receive New E-mail Notifications in Environments That Use the Network Address Translation”Environments That Use the Network Address Translation”

Q270836Q270836, , ““XCLN: Exchange 2000 Static Port MappingsXCLN: Exchange 2000 Static Port Mappings””

13

HTTP/HTTPSHTTP/HTTPSWeb BrowsersWeb Browsers

HTTPHTTP TCP: 80TCP: 80 Client -> Exchange serversClient -> Exchange servers

HTTPS HTTPS TCP: 443TCP: 443 Client -> Exchange serversClient -> Exchange servers

14

SMTP Clients and External Servers SMTP Clients and External Servers

SMTPSMTP TCP: 25TCP: 25 Client -> Exchange serversClient -> Exchange servers External SMTP gateways <-> Exchange serversExternal SMTP gateways <-> Exchange servers

15

POP3 and IMAP ClientsPOP3 and IMAP Clients

POP3POP3 TCP: 110 or TCP: 995 POP3 over SSLTCP: 110 or TCP: 995 POP3 over SSL Client -> Exchange serversClient -> Exchange servers

IMAP IMAP TCP: 143 or TCP: 993 IMAP over SSLTCP: 143 or TCP: 993 IMAP over SSL Client -> Exchange serversClient -> Exchange servers

16

FE Exchange 2000 ServersFE Exchange 2000 ServersIn a Perimeter Network in Front of a FirewallIn a Perimeter Network in Front of a Firewall DNSDNS

TCP/UDP: 53 TCP/UDP: 53 FE -> DNS ServersFE -> DNS Servers

LDAPLDAP TCP/UDP: 389 TCP 3268 TCP/UDP: 389 TCP 3268 FE -> Domain Controllers, Global Catalog ServersFE -> Domain Controllers, Global Catalog Servers

End Point Mapper (RPC)End Point Mapper (RPC) TCP: 135TCP: 135 FE -> Domain Controllers, and Exchange BE servers.FE -> Domain Controllers, and Exchange BE servers.

NTDS NTDS TCP Port dynamically assigned (can be statically mapped in TCP Port dynamically assigned (can be statically mapped in

the registry)the registry) FE -> Domain Controllers, Global Catalog ServersFE -> Domain Controllers, Global Catalog Servers

17

FE Exchange 2000 Servers FE Exchange 2000 Servers (2)(2)In a Perimeter Network in Front of a FirewallIn a Perimeter Network in Front of a Firewall Kerberos AuthenticationKerberos Authentication

TCP/UDP: 88 TCP/UDP: 88 FE -> Domain ControllersFE -> Domain Controllers

Server message block (SMB) for NetlogonServer message block (SMB) for Netlogon TCP: 445TCP: 445 FE -> Domain ControllersFE -> Domain Controllers

NTP (not a requirement)NTP (not a requirement) TCP: 123TCP: 123 FE -> Time ServerFE -> Time Server

18

FE Exchange 2000 Servers FE Exchange 2000 Servers (3)(3)In a Perimeter Network in Front of a FirewallIn a Perimeter Network in Front of a Firewall Link State Algorithm routing (required for SMTP) Link State Algorithm routing (required for SMTP)

TCP: 691TCP: 691 FE -> Other Exchange serversFE -> Other Exchange servers

HTTP to back-end serversHTTP to back-end servers TCP: 80 TCP: 80 FE -> BE ServersFE -> BE Servers

POP3 to back-end serversPOP3 to back-end servers TCP: 110TCP: 110 FE -> back-end serversFE -> back-end servers

Q280132Q280132, “XCCC: Exchange 2000 Windows 2000 Connectivity Through , “XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls”Firewalls”

19

FE Exchange 2000 Servers FE Exchange 2000 Servers (4)(4)In a Perimeter Network in Front of a FirewallIn a Perimeter Network in Front of a Firewall

IMAP to back-end serversIMAP to back-end servers TCP: 143 or TCP: 993 IMAP over SSLTCP: 143 or TCP: 993 IMAP over SSL FE -> back-end serversFE -> back-end servers

SMTP SMTP TCP: 25TCP: 25 FE <-> Other Exchange serversFE <-> Other Exchange servers

Q280132Q280132, “XCCC: Exchange 2000 Windows 2000 Connectivity Through , “XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls”Firewalls”

20

FE Exchange 2000 Servers FE Exchange 2000 Servers Pass Through Authentication for OWAPass Through Authentication for OWA

Allow only Anonymous Authentication on the front-Allow only Anonymous Authentication on the front-end HTTP virtual directoriesend HTTP virtual directories

Advantages:Advantages: Does not require RPC ports for authenticationDoes not require RPC ports for authentication Allows for somewhat tighter firewall rulesAllows for somewhat tighter firewall rules

Disadvantages:Disadvantages: Implicit logon does not workImplicit logon does not work

User must supply username when logging onUser must supply username when logging onhttps://<https://<servernameservername>/exchange/<>/exchange/<usernameusername>>

Can not useCan not use https://<https://<servernameservername>/exchange>/exchange

No load balancing of public folder serversNo load balancing of public folder servers Server setup and configuration must be performed on Server setup and configuration must be performed on

internal LANinternal LAN

21

FE Exchange 2000 Servers FE Exchange 2000 Servers IPSec Between FE and Internal ServersIPSec Between FE and Internal Servers

IPSec creates a secure tunnel between FE IPSec creates a secure tunnel between FE servers in a perimeter network and Internal servers in a perimeter network and Internal Servers. Servers.

The following ports must be open between FE The following ports must be open between FE servers and each applicable Internal Serverservers and each applicable Internal Server TCP: 50TCP: 50 TCP: 51TCP: 51 UDP 500 UDP 500

Q233256, “How to Enable IPSec Traffic Through Q233256, “How to Enable IPSec Traffic Through a Firewall”a Firewall”

22

FE Exchange 2000 Servers FE Exchange 2000 Servers (2)(2) IPSec Between FE and Internal ServersIPSec Between FE and Internal Servers

By default, Kerberos TCP/ UDP: 88 is not By default, Kerberos TCP/ UDP: 88 is not secured by IPSec, however this can be secured by IPSec, however this can be enabledenabled Q254728, “IPSec Does Not Secure Kerberos Q254728, “IPSec Does Not Secure Kerberos

Traffic Between Domain Controllers”Traffic Between Domain Controllers”

Secures data such as HTTP which is Secures data such as HTTP which is otherwise open for sniffing to an attacker on otherwise open for sniffing to an attacker on the perimeter network.the perimeter network.

Q233256, “How to Enable IPSec Traffic Through Q233256, “How to Enable IPSec Traffic Through a Firewall”a Firewall”

23

Advantages of Using ISAAdvantages of Using ISA

Content filteringContent filtering Application publishingApplication publishing MAPI and RPC publishing benefitsMAPI and RPC publishing benefits

Verifies requests are for a valid UUIDVerifies requests are for a valid UUID Opens RPC ports dynamically for valid requestsOpens RPC ports dynamically for valid requests Custom content filtering options availableCustom content filtering options available

24

Outbound CommunicationOutbound Communication

TCP/UDP ports TCP/UDP ports All ports (client/source port not configurable)All ports (client/source port not configurable) How do I secure outbound communications?How do I secure outbound communications?

Block all ports not associated with a TCP Block all ports not associated with a TCP sessionsession

Application layer filteringApplication layer filtering Forward Proxy (ISA)Forward Proxy (ISA)

What protocols must I allow outbound?What protocols must I allow outbound? Exchange servers: Exchange servers: SMTP SMTP and and DNSDNS Domain controllers: NoneDomain controllers: None Internal clients: HTTP, IM, FTP, and so on Internal clients: HTTP, IM, FTP, and so on

25

ReferencesReferencesWeb PagesWeb Pages

http://windowsupdate.microsoft.com/http://windowsupdate.microsoft.com/ http://www.microsoft.com/security/http://www.microsoft.com/security/ Exchange 2000 Front-End and Back-End Exchange 2000 Front-End and Back-End

TopologyTopologyhttp://www.microsoft.com/exchange/techinfohttp://www.microsoft.com/exchange/techinfo/deployment/2000/E2KFrontBack.asp/deployment/2000/E2KFrontBack.asp

Configuring and Securing Microsoft Configuring and Securing Microsoft Exchange 2000 Server and ClientsExchange 2000 Server and Clientshttp://www.microsoft.com/isaserver/techinfohttp://www.microsoft.com/isaserver/techinfo/deployment/ISAandExchange.asp/deployment/ISAandExchange.asp(Note that the URLs should be entered as one line; they are wrapped here for readability.)(Note that the URLs should be entered as one line; they are wrapped here for readability.)

26

ReferencesReferencesMicrosoft Knowledge Base ArticlesMicrosoft Knowledge Base Articles

Q311184, “HOW TO: Perform Security Q311184, “HOW TO: Perform Security Planning for Internet Information Services 5.0”Planning for Internet Information Services 5.0”

Q161990, “How to Enable Strong Password Q161990, “How to Enable Strong Password Functionality in Windows NT”Functionality in Windows NT”

Q280132, “XCCC: Exchange 2000 Windows Q280132, “XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls”2000 Connectivity Through Firewalls”

Thank you for joining us for today’s Microsoft SupportThank you for joining us for today’s Microsoft Support

WebCast.WebCast.

For information about all upcoming Support WebCasts For information about all upcoming Support WebCasts

and access to the archived content (streaming mediaand access to the archived content (streaming media

files, PowerPointfiles, PowerPoint®® slides, and transcripts), please visit: slides, and transcripts), please visit:

http://http://support.microsoft.com/webcastssupport.microsoft.com/webcasts//

We sincerely appreciate your feedback. Please send any We sincerely appreciate your feedback. Please send any

comments or suggestions about the Support WebCastscomments or suggestions about the Support WebCasts

to to supweb@microsoft.comsupweb@microsoft.com. .