Managing and Troubleshooting Connectivity Across Firewalls

 < Day Day Up > 

Almost all organizations protect their network with at least one, quite often two, firewalls, as shown in Figure 9.1. At its most basic, a firewall is a system that is used to control which traffic does and does not pass from the public Internet to the organization's private network. Some networks are configured with a screened subnet or demilitarized zone (DMZ). A DMZ is a network that is located between an external firewall and an internal firewall. Both firewalls are configured so that all traffic must pass through the screened subnet and can never pass directly, even though it is filtered, from the Internet to the internal network.

Figure 9.1. A basic screened subnet or DMZ bounded by an external firewall connected to the Internet and an internal firewall connected to the internal network.

graphics/09fig01.gif


The DMZ is where you are likely to locate a Simple Mail Transfer Protocol (SMTP) server, proxy servers, and, in some cases, Exchange front-end or Outlook Web Access (OWA) servers. An important part of the 70-284 exam is being able to correctly describe how to configure a firewall to allow the types of communication necessary for Exchange to work, without letting unnecessary traffic through that might compromise the security of the network. This description often takes the form of identifying which ports should be opened on a particular firewall.

Differentiating Traffic on the Basis of Port

TCP/IP traffic is differentiated by the port it uses. Different network application protocols use different ports. Hypertext Transfer Protocol (HTTP) traffic, for example, which is used to carry Web traffic, uses port 80. SMTP traffic uses port 25, and Post Office Protocol version 3 (POP3) traffic uses port 110. Thousands of ports have been configured to support different application protocols. At their most basic levels, firewalls allow and deny traffic based on the port that the traffic uses and the source and destination addresses.

graphics/alert_icon.gif

It is not necessary that you memorize all TCP/IP ports to pass the Exchange Server 2003 exam. It is important to be conversant with the ports Exchange Server 2003 needs to carry out particular functions.


The important ports that are used by Exchange Server 2003 are listed in Table 9.1.

Table 9.1. Common TCP/IP Ports Used by Exchange Server 2003

TCP/IP PORT

Exchange Server 2003 Service

25

SMTP; used to transmit mail

53

DNS; used to resolve hostnames on the Internet

80

HTTP; used for Web traffic such as OWA

88

Kerberos; used for authentication

110

POP3; used by some clients to retrieve email from an Exchange server

135

RPC; used for Exchange administration

143

IMAP4; used by some clients to retrieve email from an Exchange server

389

LDAP; used to query Active Directory (AD)

443

HTTPS; Secure HTTP

636

LDAP SSL; used to securely query AD

993

IMAP4 SSL; used to securely retrieve email from Exchange Server

995

POP3 SSL; used to securely retrieve email from Exchange Server

3268 and 3269

Used to query global catalog servers


Only Allowing Access to Front-end Servers via Secure Sockets Layer (SSL)

One of the first steps you need to take in securing a server that communicates with hosts on the Internet is ensuring that the protocols used to communicate with that server are as secure as possible. Rather than allowing insecure and secure versions of the same protocol to pass via the external firewall, administrators should only allow access to SSL-protected protocols to an Exchange Server 2003 front-end server located on the DMZ. The downside to using this method is that the front-end server will experience increased processor load in handling and decrypting the SSL traffic. Although it is possible to purchase SSL accelerator cards, this is an additional infrastructure expense. One port that Exchange communicates via should not be blocked, even though transmissions occur via this port in an insecure fashion. Port 25, used by SMTP, transmits and receives messages from other email servers located on the Internet. To retain interoperability with SMTP servers outside the organization (as they do not share the same SSL certificates), this external communication should not be encrypted in this manner.

To use SSL, you require an SSL certificate. Obtaining a certificate for securing internal SMTP traffic via SSL is relatively simple if you have an enterprise root CA. If you do not have an enterprise root CA, you need to use the Certificate Request Wizard and submit the generated file to your CA. After you have the required SSL certificate installed, you can enable secure communication by editing the properties of the SMTP virtual server.

Smart Hosts

Smart hosts present an alternative to placing an Exchange Server 2003 computer on the DMZ. You would use a smart host rather than an Exchange Server 2003 front-end server when you do not need to provide mail services to users located on the Internet side of the external firewall. A smart host is a Windows 2000 Server or Windows Server 2003 server that is configured as an SMTP relay. An SMTP relay simply relays messages to and from the Internet to the internal network. A smart relay has no knowledge of AD and does not require Exchange Server to be installed. When a smart relay is installed, the only port that needs to be opened is port 25 on the external firewall and port 25 on the internal firewall.

Connecting MAPI Clients to Exchange Server 2003 Through a Firewall

The situation will arise in which you have Messaging Application Programming Interface (MAPI) clients located on the Internet, with the firewall between them and the Exchange Server 2003 server, who need to access data on that server. As an administrator, you must find a balance between allowing access and keeping the internal network secure. You have several options available for giving remote users access to Exchange. These include

  • Setting up a VPN server on the DMZ and allowing VPN clients to access the Exchange Server 2003 computer via the VPN server. In such a situation, all authentication occurs on the VPN server and a VPN connection must be established before messages can be downloaded from Exchange.

  • Alternatively, inbound connections can be connected via SSL-secured Internet Message Access Protocol (IMAP) and SSL-secured POP on the external firewall. Only users with valid SSL certificates can make such connections.

  • Rather than letting clients check email directly, OWA can be configured on a front-end server located on the DMZ. External clients would then connect via a secure HTTP connection to read their email.

  • Finally, if the client is running Outlook 2003 and the server hosting Exchange is running Windows Server 2003, Exchange Server 2003 will support the new technology RPC over HTTP. RPC over HTTP requires the opening of only a limited number of external ports. This option is covered in the section titled "RPC over HTTP."

External Firewall Configuration

If you want to allow remote clients on the Internet to access the Exchange servers via POP3 or IMAP, you need to install an Exchange front-end server on the DMZ and make the following configuration settings:

  • On the external firewall, allow either SSL-secured IMAP (port 993) or SSL-secured POP3 (995) depending on your client configuration. These ports need only be open from the Internet to the particular IP address of the Exchange Server 2003 front-end server located on the DMZ. You do not need to open the port to all hosts on the DMZ. The SMTP port (port 25) will already be open as that is how mail from the Internet reaches your Exchange organization.

  • On the internal firewall, allow IMAP (port 143) or POP3 (port 110) depending on client configuration. Also allow port 25 for SMTP.

  • To communicate with Active Directory, specific ports must be opened on the internal firewall between the front-end server and the internal network. These ports include port 389 (both UDP and TCP), which is used via LDAP to query the directory service, port 3268, which is used by LDAP to query the global catalog server, and port 88 (both UDP and TCP), which is used for Kerberos authentication. The DNS port (port 53) might need to be opened up if there is no DNS server on the DMZ. Finally, the RPC port (port 135) needs to be open for authentication to occur.

Secure traffic comes through the firewall to the Exchange front-end server. Front-end servers do not host mailboxes or public information stores and are located on the DMZ. The internal firewall is configured so that the front-end server is able to communicate normally with back-end servers located on the internal network. We discuss front-end and back-end server configuration further in Chapter 6, "Managing, Monitoring, and Troubleshooting the Exchange Organization."

RPC over HTTP

RPC over HTTP is Microsoft's new preferred technology for allowing external MAPI clients to access the internal Exchange infrastructure. RPC over HTTP is a technology that allows an Outlook 2003 MAPI client to communicate with an Exchange Server 2003 system hosted on a Windows Server 2003 computer via port 80. An Exchange Server 2003 front-end server that does not host any mailboxes or public information stores is located on the DMZ. You can then specify which ports are used to communicate with the domain controller (DC), global catalog (GC), and Exchange servers that the RPC client will access. Alternatively, if ISA Server is installed, it can route RPC over HTTP, in which case the RPC proxy server can use all of the ports it requires.

To prepare an Exchange Server 2003 computer to support RPC over HTTP:

  • Ensure that Exchange Server 2003 is installed on Windows Server 2003 and not on Windows 2000 Server.

  • Configure the Exchange front-end server by adding the RPC over HTTP component to the Networking Services in Add/Remove Windows Components, as shown in Figure 9.2.

    Figure 9.2. Installing the RPC over HTTP component on Windows Server 2003.

    graphics/09fig02.jpg


  • In the IIS Manager, configure the authentication method on the RPC virtual directory in IIS to use Basic, rather than Integrated or Digest authentication.

  • Configure the RPC over HTTP proxy to use specified ports. To force this, you must edit the Registry on the RPC over HTTP proxy server. The Registry key to edit is HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy. All servers on the internal network that the RPC proxy will need to communicate with must be added manually here using the target's fully qualified domain name (FQDN). The ports are listed in Table 9.2. More information on how to do this can be located in the Exchange 2003 Deployment Guide, available from the Microsoft Exchange technical library.

  • Ensure that the external firewall allows port 80 traffic from the Internet to the Exchange front-end server with the RPC over HTTP component installed.

  • Configure the internal firewall to allow traffic to pass from the RPC over HTTP proxy to the internal hosts via the ports specified in the Registry. These ports are listed in Table 9.2.

  • Configure an Outlook profile for remote users to use RPC over HTTP.

Table 9.2. Ports to Configure in the Registry

Port

Service

593

End Point Mapper

6001

Store

6002

DS Referral

6004

DS Proxy


The advantage of RPC over HTTP is that only port 80 needs to be opened on the firewall. The disadvantage is that it is limited to Outlook 2003. If older Outlook clients must be supported, this technology cannot be implemented.

Integrating ISA Server 2000 with Exchange Server 2003

Exchange Server 2003, unlike Exchange 2000 Server, is designed to work closely with ISA Server 2000, the Microsoft firewall and proxy product. ISA Server 2000 can be configured so that Exchange front-end servers are no longer required on the screened subnet. To perform this function, ISA Server 2000 must be patched with Service Pack 1. The ISA Server 2000 Feature Pack 1 must also be installed. An ISA server located on the screened subnet can process the following kinds of traffic from the Internet to the internal network:

  • OWA

  • RPC over HTTP

  • Outlook Mobile Access

  • POP3

  • IMAP4

ISA Server also checks the data for any malicious traffic before forwarding it to the appropriate Exchange server on the internal network. To perform these functions, ISA Server 2000 does not need to be hosted on a computer that is a member of the domain. This provides greater security because if the ISA Server 2000 computer is compromised, the attacker does not have domain access.

graphics/alert_icon.gif

You are not expected to be able to configure ISA Server 2000 on the exam. You are expected to know how ISA Server 2000 can be used to enhance security for Exchange Server 2003.


     < Day Day Up > 


    Implementing and Managing Exchange Server 2003 Exam Cram 2 Exam 70-284
    MCSA/MCSE Implementing and Managing Exchange Server 2003 Exam Cram 2 (Exam Cram 70-284)
    ISBN: 0789730987
    EAN: 2147483647
    Year: 2004
    Pages: 171

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net