1 / 9

Configuring your Firewall for Exchange 2003 and SP2 Changes

Presented August 14, 2007 at NYExUG Meeting. Configuring your Firewall for Exchange 2003 and SP2 Changes. Ben Serebin Network Consultant REEF Solutions ben a t reefsolutions . c o m. Overview. Exchange 2003 Protocols Firewall Configuration for Exchange 2003 Protocols

step
Télécharger la présentation

Configuring your Firewall for Exchange 2003 and SP2 Changes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presented August 14, 2007 at NYExUG Meeting Configuring your Firewall for Exchange 2003 and SP2 Changes Ben SerebinNetwork ConsultantREEF Solutionsben a t reefsolutions . c o m

  2. Overview • Exchange 2003 Protocols • Firewall Configuration for Exchange 2003 Protocols • Exchange 2003 SP2 Changes for your Firewall • Recommendations to Secure Your Exchange Deployment

  3. Exchange 2003 Protocols (overview) • Does Exchange 2003 really have it’s own protocols? Not really… • Most Popular (in order): [MAPI*], SMTP, HTTP, IMAP4 • Less Popular: POP3, NNTP, X.400 • Not Really Exchange, but useful: LDAP • These are all industry standards that work among other servers fairly well. • All protocols above support SSL encryption except which one? (answer: X.400)

  4. Exchange 2003 Protocols (in-depth/popular) • MAPI stands for Messaging Application Programming Interface and is an API/protocol found in Windows. This is a proprietary protocol and is not recommended to be used outside the local area network. • SMTP stands for Simple Mail Transfer Protocol. This runs via port 25 and is how email gets transferred in/outbound. Without SMTP, email would NOT work. This is the only required protocol for your email to work. • HTTP stands for Hypertext Transfer Protocol. This runs via port 80 and is how users use Outlook Web Access (aka webmail, OWA). This port is also used for Outlook 2003 and Exchange 2003 to tunnel email traffic. • IMAP4 stands for Internet Message Access Protocol. This runs via port 143 and allows users to view all email similar to OWA but via a client-side email program. Email is not removed from the server when using IMAP. It acts similar to Outlook’s native protocol (MAPI). Multiple versions, hence the latest commonly used is IMAP version 4, called IMAP4. Tip: Outlook Express 6 is a far better IMAP client than Outlook 2000 & 2003. All protocol definitions are a combination of Wikipedia and other online sources.

  5. Exchange 2003 Protocols (Less Popular) • POP3 stands for Post Office Protocol version 3. This runs via port 110 and allows users to retrieve all email received. Exchange Users normally do not use this protocol. • NNTP stands for Network News Transport Protocol. This runs via port 119. Used for posting on Usenet. Anyone know Usenet? Rarely used since 2000. A client supporting this was Newsreader. • X.400 is a group of standards used for exchanging and addressing electronic messages. Used primarily for Electronic Data Interchange solutions. Another rarely used solution. But, X.500 addresses are used for cross-site addressing. Keep this in mind if you replace your old AD environment and Exchange Server and create a new one and reply to old email messages and they bounce. You’ll need to use X.500 addresses.

  6. Exchange 2003 Protocols & Securing • LDAP stands for Lightweight Directory Access Protocol. This runs via port 389 on Exchange or if server is a Global Catalog it is port 3268. • All the previous protocols support Secure Sockets Layer (SSL) encryption except X.400. This can be a very secure method to protect the data that is sent over a protocol. • The following protocols can be setup with SSL. HTTPS (port 443), SMTP over SSL (465), IMAP4 (port 993), POP3 (port 995), NNTPS (port 563), X.400 (no SSL supported). LDAP over SSL (for Exchange is port 636 or for GC it is port 326). • SSL certificate required to enable SSL security on any of the protocols. You can either create your own via your Certificate Authority, or purchase one from a CA [recommend this approach – time for $$$$LL certs talk].

  7. Exchange 2003 SP2 Changes for your Firewall • Exchange 2003 Service Pack 2 introduces a new feature for Windows Mobile 5 handheld devices that increases the speed of Mobile 5 users receiving email alerts. This new feature is called Direct Push Technology. • Exchange Direct Push Technology uses this heartbeat interval so that the server and the mobile device can maintain connectivity. Therefore, a session is open for the server to use to notify the mobile device when an e-mail message arrives. This speeds up message arrival time, use less bandwidth, and increases battery life. • The default timeout period for ActiveSync’s heartbeat is 540 seconds (9 minutes). So, on your firewall you want to increase your http connection timeout period to at least 9 minutes. • You can look in the Event Log for Errror ID error 3033 and Event Type Warning, Event Sourcde: Server ActiveSync. • See Microsoft Knowledge Base article 905013, "Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology“ http://go.microsoft.com/fwlink/?linkid=3052&kbid=905013

  8. Recommendations to Secure Your Exchange Deployment of Protocols • Purchase a SSL certificate and enable SSL on HTTP for HTTPS. Then you can use form based authentication (FBA) on OWA. Provides increased security [logout works correctly with FBA, w/o it only logout option is to quit browser], prettier, ability to switch between basic and premium mode for IE users. This will also protect usernames & passwords. • Use a mail gateway that supports SMTP over SSL (or SMTP over TLS) so you can selectively support SMTP communications if the other server supports it. This is called opportunistic encryption support. • Server to Server SSL is also known as STARTTLS, since this is an SMTP extension. Exchange supports TLS for encryption which is newer and better than SSL. I use the 2 interchangeable in my slides. • Enabling SSL for SMTP on Exchange 2003 does not do anything unless you check the box to Require TLS. If you do this, you will run into many problems, so only enable this if you use a mail gateway or enable it per Connector (I demo-ed the Connector configuration). • If you enable LDAP access from a remote source (spam filter), whitelist on the firewall only the IP for the LDAP query server. This will protect your Windows Server from unauthorized queries.

  9. Presented August 14, 2007 at NYExUG Meeting Thank you for attending the NYExUG User Group Meeting.Benefits of Attending Meetings- free pizza dinner- free raffles (Windows 2003 Server R2 Enterprise, Office 2003 Professional, and Exchange 2007 Standard)

More Related