And even after opening those ports it's entirely possible you'd experience a greater number of dropped UDP new mail notifications with that connection method than you would with VPN (at least that's been my experience).
Chris -- Chris Scharff Senior Sales Engineer MessageOne If you can't measure, you can't manage! > -----Original Message----- > From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 9:11 AM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > Well I believe I'm finally starting to understand. Even if > we opened up the ports as described in FAQ 3.24 and assigned > static ports on the Exchange server for the DS and IS, it > would also be necessary to open the UDP ports 1024-65535 up > for clients to get notified of new mail. > > Don't get me wrong. I'm still leaning toward requiring the > VPN client, but I need to insure I have all the information > for the networking/security group. > > -----Original Message----- > From: Stephen Mynhier [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 2:06 AM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > You can set some of the ports as static (IS, DS, MTA, etc.,) > but you cannot assign a static port to UDP Push Notification. > If ports>1024 are blocked, your Outlook clients might be > able to send and receive mail just fine, but the blocked Push > will prevent the view from refreshing. This results in the > APPEARANCE that mail is not coming in until you change > folders, mail not leaving the outbox, etc., > > Stephen > > -----Original Message----- > From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 18, 2001 2:24 PM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > Maybe I didn't understand the post. I believe you can > especially if your behind a firewall. Refer to Q148732. > > XADM: Setting TCP/IP Port Numbers for Internet Firewalls [Q148732] > > > -----Original Message----- > From: Stephen Mynhier [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 18, 2001 3:16 PM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > You cannot make that static. That range that you listed is > for the UDP Push Notification from the Exchange server to the > client. It is a randomly selected (by the client) UDP port > above 1024. The Exchange server uses this to send the new > mail notification (refresh command) to the client. > > Stephen > > -----Original Message----- > From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 18, 2001 1:46 PM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > Went through TechNet and couldn't find any reference to the > actual range. Found the articles on how to make it static, > but no range. Also posted that question on the list asking > about the range and I don't recall anyone stating what it > was. The MS tech I talked to had to place me on hold 3 times > to get the answer. -----Original Message----- > From: Don Ely [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 18, 2001 12:56 PM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > You could have searched the MSKB and figured that out. > There's plenty of documentation out there... > > -----Original Message----- > From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 18, 2001 10:00 AM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > Just a note to everyone. We called Microsoft and inquired > what the range for the two random ports were that Exchange > allocates to the client once it connects to a socket. > According to Microsoft the range is from 1,024 to 64,000. > > -----Original Message----- > From: Don Ely [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 18, 2001 10:16 AM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > No security consultant I know is going to open holes in the > network from the DMZ to the Internal network. Being > proficient in both Exchange and Security, I feel sorry for > your clients if you suggest the model you propose below to them. > > I think you ought to study up on security some more... > > If you open holes from the DMZ to the internal LAN, why in > the hell do you have a DMZ. You've made the DMZ virtually > pointless. Or did your teacher or book you read say > something different. If it were a book that told you to > configure things this way, please send me the ISBN number, I > really wanna read that book. Apparently, I've been taking > the wrong approach for years now. > > I happen to know of a company who has the same model you > describe. After I showed them the security issues, they were > desiring a change for the better immediately. > > -----Original Message----- > From: Frank Knobbe [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 17, 2001 5:47 PM > To: Exchange Discussions > Subject: RE: Firewall and Exchange Ports. > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > -----Original Message----- > > From: Ed Crowley [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, October 16, 2001 9:55 PM > > > > Don't bother. Use a proxy server and publish OWA. Or > require SSL and > > open port 443. Or implement a VPN. I still think putting > an Exchange > > front-end server in a DMZ is kind of silly. Not as silly with > > Exchange 2000 as with > > Exchange 5.5, but silly nonetheless. > > Ed, > > I don't find this silly at all. Let me try to clarify: > > Scenario A: > > You have an Internet connection coming to a firewall. Behind > the firewall in your internal network you have an Exchange > server. You also have a web server (maybe on the same box, > maybe different box). You allow HTTPS traffic through the > firewall to the web server in the LAN. > > Scenario B: > > You have an Internet connection coming to a firewall. Behind > the firewall in your internal network you have an Exchange > server. In a DMZ segment (which can be a third network card > in the firewall, or a segment between two > firewalls) you have a web server. HTTPS traffic is allowed to > the web server, and required ports (say, RPC, NetBIOS, > InfoStore, Directory) are allowed from the web server through > the firewall to the Exchange server. > > > Scenario A has following disadvantages: > If your web server gets compromised, the hacker is in your > internal network. You have no means of further restricting > access (besides shutting the server down). Intrusion > Detection is almost impossible on the SSL session (unless you > terminate SSL on a proxy and go clear text from there). So a > compromise can easily go undetected, and the intruder can > probe your network and advance access. The primary intrusion > containment is all of your internal network. > > In Scenario B you have following advantages: > If your web server gets compromised, the hacker can access > everything in the DMZ. He will have to discover the address > of the Exchange server (which can be made hard through proper > host hardening). Once he has that he can attack the Exchange > server, but using Exchange as another stepping stone to gain > access to the rest of your network can again be very hard. > All those 'hard' items will buy you time. In addition, > Intrusion Detection in the DMZ can quickly alert you if it > sees 'strange' traffic coming from the web server (say FTP > connections, port scans, etc). The primary intrusion > containment is only the DMZ. > > We can even go a step further. Using a host or network based > IDS system, you can potentially reconfigure the firewall in > an automated fashion to disallow any access from/to the web > server in the DMZ. Now even the allowed ports are closed, the > attacker has no way into your network. > > > Scenario B buys you time and has far greater potential of > protecting your internal network. > > Now, I'm primarily a security consultant, and less of an > Exchange consultant, so I may look at this differently than > the average Exchange Admin and mail list member. Reading > comments like 'placing OWA into the internal network can > secure your DMZ' and 'OWA in the DMZ opens you more up than > OWA in your internal network' just make me scream since from > a security perspective, they are completely wrong. > > If anyone wants to seriously discuss this further in a > professional manner, please email me offline as I'm not going > to enter a silly discussion with armchair security 'experts' > on the list. > > Best regards, > Frank > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.5.8 > Comment: PGP or S/MIME (X.509) encrypted email preferred. > > iQA/AwUBO84mfpytSsEygtEFEQLS6gCgh9p15rpWGqhxhV91v1t55j3Fy3kAoJyp > HALyTWGaYQB8Ihjqgx1hWG71 > =ooG7 > -----END PGP SIGNATURE----- > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]