|
> How can I connect to exchange over
the internet?
> Exchange server is behind a firewall that
has static natted public ip address.
> I am trying to connect to it from home.
What ports need to be opened?
Alot of responses - however, I
just wanted to expand on this question.
There are two issues here: Connectivity
and Security.
You need to decide how you will allow your remote
clients to connect to your Exchange server. This may also be dictated by
other needs... but overall you will have 3 options for
this:
a. Outlook Client
b. Outlook Express (or other email client) using SMTP
and POP3
c. Outlook Web Access (OWA)
For the security issue, you need to make sure you
properly secure what you need to do. This involves using the firewall to
protect your Exchange server by only allowing the specific ports required for
the connectivity. In addition, you need to assure proper
authenticate/encrypt of the communications between the Exchange Server and your
remote clients.
-= Connectivity =-
1. Outlook Client
Outlook works in client/server mode to access
email on the Exchange server (i.e. Outlook is a front end to the "email
database" on the Exchange server). The following briefly describes the
session setup:
a. Outlook will initially connect to the Exchange
server on TCP port 135.
b. Upon the session setup over TCP port 135 between the
Outlook client and the Exchange server, the Exchange server selects two random
high ports (one for the Directory Service and one for the Information
Store).
c. The Exchange server notifies the Outlook client to
connect (to the Exchange server) using the two high
ports.
d. The Outlook client connects to the Exchange server
using the two high ports.
This of course will cause a problem when there are
packet filters or firewalls involved. By default, your firewall will drop
these packets. To get this working without modifications you will
need to allow TCP:135 and all high ports through your firewall to your Exchange
server. Of course, you should not allow high ports to your Exchange
server.
To work around this issue, you can force the Exchange
server to only use two high ports you set in the NT Registry. This way,
the Exchange server will always use these two ports for all Outlook
clients. This workaround is documented in Microsoft's article
at:
( You can also search for article Q155831 on
Microsoft's Knowledge Base)
A brief note on the work around
is:
1. open regedit
2. go to
System\CurrentControlSet\Services\MSExchangeDS\Parameters
3. make a new entry of type
DWORD
4. set the name to "TCP/IP
Port"
5. set the value to a port greater than 1024 ( >
1024). It is recommended not to use ports right above 1024. So use
something like 34567, etc.
6. Next, go to
System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
7. make a new entry of type
DWORD
8. set the name to "TCP/IP
Port"
9. set the value to a port greater than 1024 (>
1024). Again, use something like 34568, etc.
10. close regedit.
(Note: when entering the port numbers, select decimal
if you will enter decimal numbers, otherwise if it is set to hex use hex
numbers)
You will need to reboot the Exchange server for this to
take effect.
So, let's say you chose to use 34567 and
34568. Now, you will need a rule like the following on the
firewall:
(ANY)
(Exchange_server) (TCP:135, TCP:34567,
TCP:34568) (ACCEPT)
(LONG)
2. SMTP / POP3
If you don't want to or can't use Outlook, you can use
SMTP and POP-3. This way, users will use SMTP to send email, and POP3 to
receive their email. Once you set the proper settings on Exchange, you
would need a rule like the following:
(ANY)
(Exchange_server) (TCP:25, TCP:113)
(ACCEPT) (LONG)
Keep in mind that if you are using the SMTP Security
server, and the to: field in your SMTP Resource object is set to only your email
domains, remote users will not be able to relay email to other domains.
You will need to work around this...
3. Outlook Web Access
(OWA)
Your other option is to use Outlook Web Access.
OWA is a web based front-end to access email on the Exchange server. OWA
requires Internet Information Server (IIS). You "can" deploy OWA on the
same server as the Exchange server, however doing so would very risky. It
is recommended to use a seperate server, deployed in a DMZ network segment, for
OWA.
You can also encrypt the connectivity between the users
and your server via SSL. This helps secure the communications. The
issue with OWA is mainly IIS. Remember to patch IIS for all the known
vulnerabilities, etc.
Your rule for this access will something like
so:
(ANY)
(OWA_serer) (TCP:80 or
TCP:443) (ACCEPT)
(LONG)
-= Security =-
With the connectivity aside, you have to remember
security. Looking back at the example rules you will notice many things
wrong with this infrastructure. To note, here are some
examples:
-Anyone on the Internet has access to ports opened to
the destination server(s)
-Weak Authentication
-Communications prone to eavesdropping /
tempering
-Session Hijacking
For these issues, you can use client-to-site VPN
solutions and strong authentication or PKI to better secure your systems to only
allow appropriate and authorized individuals to access your
systems.
Also, always remember that the firewall will only
protect the perimeter of your network - i.e. keep unwanted and unallowed traffic
from entering your network. However, any traffic you do allow to your
network is a potential threat! The firewall will not
provide host based security to the internal servers.
-Have policies and procedures in place to cover all
cycles of security
-Always harden any system you will allow traffic
to. There are many resources out there for nearly all Operating
Systems/Applications.
-Enabling auditing/logging of specific events to allow
you to monitor all activity
-Use Intrusion Detection Systems
(IDS)
-With prevention in place, be able to Detect and
Respond
Patches only work when applied. Detection and
Response are very critical stages of the security cycle. You can find in
depth explanations on this and the notion of the dynamic nature of "Window of
Vulnerability" as discussed by security experts such as Bruce Schneier (http://www.counterpane.com).
Hope this answered your question, and I hope this
raised more questions... =)
Amin Tora, CISSP
|
- [FW1] connect to exchange over the internet Tony Wong
- Re: [FW1] connect to exchange over the in... Naresh
- RE: [FW1] connect to exchange over the in... Shah, Nishith
- RE: [FW1] connect to exchange over th... Gareth Long
- RE: [FW1] connect to exchange over the in... Ghosh, Debashis (CORP, CIM)
- RE: [FW1] connect to exchange over the in... David E. Hoobler Jr.
- RE: [FW1] connect to exchange over the in... Chris Arnold
- Amin Tora
