Windows 2000 and Exchange 2000 Server provide an impressive set of security features that can help you protect your organization’s resources against attacks over the computer network. However, to reliably shield your corporate network from the hazards of the Internet, extra precautions in the form of firewalls are required. Exchange 2000 Server, especially in a front-end/back-end (FE/BE) configuration, can seamlessly integrate with sophisticated firewall topologies.
This lesson explains how to secure the Internet access points of an Exchange 2000 organization by means of firewalls, blocking potential attackers while allowing authorized users to access mailboxes and public folders. You can read about firewall configurations in FE/BE arrangements, as well as encryption technology, to secure the Internet-based client communication. You can also read about options to support MAPI-based clients, which, unfortunately, cannot benefit from FE/BE deployments.
Firewalls are essential components in securing communication over the Internet. They not only help protect internal systems from unauthorized use and attacks, but also allow you to control outgoing communications. VPNs, on the other hand, are useful solutions for mobile users who require remote access to the corporate network. Without the expense of long-distance analog phone or leased lines, users working in a remote office, at home, or on the road can establish a connection to a local Internet service provider (ISP) and use the Internet similar to a dedicated wide area network (WAN) link. VPNs can also be used to replace WAN links between remote offices, providing secure communications across a shared network such as the Internet. The communication is encrypted to prevent fraud and eavesdropping.
A firewall is a security system that prevents Internet users from directly communicating with internal computer systems. As mentioned, you can also control communication from internal users to the public network. All data traffic is routed through a firewall, or an arrangement of firewalls, that monitor the communication and decide whether the data packets are allowed to pass through or should be dropped. Firewalls can also be called proxy servers or bastion hosts—while each of these terms differs slightly in meaning, their functionality overlaps significantly. Figure 9.1 shows a single bastion host shielding a corporate network from the Internet.
Figure 9.1 - An Internet access point protected by a single firewall
You can use firewalls to protect your internal network resources by means of the following features:
VPNs leverage TCP/IP-based networks, such as the Internet, to connect remote clients and offices through an encrypted channel, known as a tunnel or VPN connection (see Figure 9.2). The encryption of network traffic ensures the confidentiality of the data. At the sending station (that is, the VPN client), the IP datagrams are placed in Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) frames, which in turn are encapsulated into IP datagrams before they are sent over the network. When the data enters the tunnel it is encrypted, and when it leaves the tunnel it is decrypted. The sending and receiving stations are not aware that tunneling took place. PPTP performs the encryption itself; L2TP relies on IPSec for encryption.
VPNs are an excellent solution for supporting users who need full connectivity to the corporate network yet cannot directly connect to the corporate network. VPN connections allow any type of traffic to be tunneled through a corporate firewall and into the corporate network and can have a different set of filtering rules from those applied to other Internet traffic. They encapsulate all datagrams and allow remote users to work as if they are logged on to workstations in the internal network. For example, it is possible to use Messaging Application Programming Interface (MAPI)-based clients, such as Microsoft Outlook 2000, to connect to an Exchange 2000 server over a VPN connection.
Figure 9.2 - Connecting to a corporate network via a VPN
However, VPNs are only as reliable as the underlying network connection. If your users connect to a local ISP by means of a slow dial-up connection, for instance, remote procedure call (RPC)-based communication can be problematic, and this would adversely affect MAPI-based communication. Over slow or unreliable VPN connections, consider using a Terminal Services client to access a Terminal Server in the corporate network that runs the client applications directly in the local area network (LAN) of the Exchange 2000 server.
You can configure the following types of VPN connections:
Note
Whether you use RRAS or another network access server (NAS) system, it is vital to protect from unauthorized use those VPN connections that provide remote users with direct access to the corporate network. Two important things must come together for this purpose: The system must identify the user, and the user must be authorized to establish VPN connections. You can enable unauthenticated access to a VPN server, in which case users don’t need to provide a logon name or password, but identification still occurs. In Windows 2000, anonymous users are known under the identity of the IAS guest account.
Windows 2000 Server comes with a powerful IAS, a Remote Authentication Dial-In User Service (RADIUS) for centralized authentication, authorization, auditing, and accounting. Any RADIUS-compliant client can communicate with Windows 2000 IAS, which allows you to integrate this service into heterogeneous environments. Windows 2000 RRAS, for example, uses Windows authentication by default, but can be configured to use RADIUS. Your RRAS servers do not need direct connectivity to a domain controller (DC) when using RADIUS (see Figure 9.3).
Figure 9.3 - An example of RRAS integration with IAS
The IAS authentication process is as follows:
For detailed information about RRAS and the IAS, see the Windows 2000 Server product documentation.
Note
Even a simple firewall allows you to configure packet filters to prevent unauthorized data packets and protocols from entering or leaving your internal network. Based on IP addresses and port numbers, you can block communication to specific hosts or services. A packet filter is typically composed of source IP address and source port; destination IP address and destination port; protocol identifier, such as TCP or User Datagram Protocol (UDP); and the action to take if a data packet matches the rule.
For example, in Figure 9.4, you can configure the firewall so that Internet users are able to access only the Exchange 2000 server (SRV-02-EMS, IP address 131.107.3.125). You can further restrict the communication to specific services on SRV-02-EMS. Services are available through ports. For instance, you might allow inbound traffic to use TCP port 80 for Hypertext Transfer Protocol (HTTP)-based communication with the World Wide Web Publishing Service, but block the communication to all other ports. In this case, Internet users can connect to SRV-02-EMS using Microsoft Outlook Web Access (OWA), but other applications, such as MAPI-based, Internet Message Access Protocol 4 (IMAP4), or Terminal Services clients are blocked. Table 9.1 lists the various ports you might want to open on your firewall to allow users and messaging systems from the Internet to communicate with an Exchange 2000 server.
Table 9.1 Important Messaging-Related Protocols and Their Port Numbers
Protocol | TCP Port Number | TCP Port Number with SSL | UDP Port Number |
---|---|---|---|
Domain Name System (DNS) | 53 | — | 53 |
HTTP | 80 | 443 | — |
IMAP4 | 143 | 993 | — |
Internet Relay Chat | 6661–7000 | — | — |
IPSec (Protocol ID 50) | — | — | 500 |
Kerberos authentication | 88 | — | 88 |
L2TP | — | — | 1701 |
Lightweight Directory Access Protocol (LDAP) | 389 | 636 | — |
LDAP (Global Catalogs) | 3268 | 3269 | — |
NetBIOS over TCP/IP | 139 (session services) | — | 137 (name services) 138 (datagram services) |
Netlogon | 445 | — | — |
PPTP (Protocol ID 47) | 1723 | — | — |
Post Office Protocol 3 (POP3) | 110 | 995 | — |
Remote Desktop Protocol (RDP) or Independent Computing Architecture (ICA) protocol | 3389 | — | — |
Rendezvous Protocol (RVP) | 80 | 443 | — |
RPC dynamic ports | 1024 and higher | — | — |
RPC endpoint mapper | 135 | — | — |
Simple Mail Transfer Protocol (SMTP) | 25 | — | — |
X.400 over TCP | 102 | — | — |
Note
Figure 9.4 - An Internet access point for OWA
Figure 9.4 illustrates the configuration of a firewall rule to allow HTTP traffic to and from an Exchange 2000 server. Note that you need to allow the communication in both directions, so you actually need to configure two filters. In a typical scenario, Web browsers send HTTP requests to TCP port 80 (nonencrypted communication) or TCP port 443 (SSL-encrypted communication). For the local endpoint of the TCP connection, however, the browser may choose a dynamic port number in the range between 1024 and 65,535. Because you don’t know the client port, you need to configure the outgoing filter so that the firewall allows data originating from the server’s TCP port 80 to any station and any port in the public network. You can read more about the configuration of packet filters later in this lesson.
More Info: Force SSL-Encrypted Communication for Outlook Web Access
When you enforce SSL-encrypted communication for HTTP, users must connect to OWA using the https:// protocol identifier. IIS will refuse requests to the standard (non-SSL) port 80 with the following error message: HTTP 403.4 - Forbidden: SSL required Internet Information Services. Unfortunately, users tend to forget to specify https:// instead of http:// in their connection requests. You can suppress the IIS error message and redirect all incoming non-SSL connections on behalf of the users automatically.
To automatically redirect all incoming non-SSL connections to Exchange 2000 OWA to the SSL-based port, follow these steps:
<% If Request.ServerVariables("SERVER_PORT")=80 Then Response.Redirect "https://" & _ Request.ServerVariables("SERVER_NAME") & _ "/Exchange/" End If %>
You can read more about the configuration of custom error messages in the IIS 5.0 production documentation and online help.
Security-conscious organizations consider the configuration shown in Figure 9.4 insufficient because it does not provide separate networks for internal systems and externally accessible servers. In this example, all internal systems use public IP addresses. Further, Internet-accessible resources, such as the OWA server SRV-02-EMS, reside on the same internal network as user systems. No firewall will ever be completely secure, but if an intruder can break through your firewall, all internal systems are open to attack.
To meet stronger security standards, you need to do the following:
Note
Depending on the level of security your organization requires, you can establish a DMZ using a single firewall with three network cards or two separate firewalls with two network cards each. You can also create a multizone DMZ with several firewalls. A single firewall with three network cards represents the least secure solution because it is physically connected to the private network. A DMZ with two or more separate firewalls is more secure, but more complex and costly than the three-pronged firewall approach. For optimal protection of your Internet access point, consider the installation of dissimilar systems. Dissimilar firewalls usually have different weaknesses, making it harder for an intruder to break through. Figures 9.5 and 9.6 show typical DMZ configurations.
Figure 9.5 - Establishing a DMZ with one or two firewalls
Figure 9.6 - Establishing an inner and outer DMZ with three firewalls
Note
You should tightly secure the servers in the DMZ because they are exposed to the Internet. In general, deactivate all those services on these systems that are not required and block all protocols that you do not intend to support over the Internet.
Use the following guidelines to secure your Internet-accessible systems:
Tip
You can use FE servers or other Exchange 2000 servers as SMTP relay hosts in your DMZ, which provides you with the ability to control incoming and outgoing message transfer based on SMTP virtual servers and SMTP connectors. The design of message routing topologies is discussed in Chapter 5, "Designing a Basic Messaging Infrastructure with Microsoft Exchange 2000 Server."
SMTP systems exposed to the Internet have specific configuration requirements. Among other things, you should not allow anonymous relaying of SMTP messages through your smart hosts. Otherwise, anyone who wants to send unsolicited commercial messages to thousands of users can misuse your systems. An advertiser would only need to configure his or her Internet mail client to send messages to your SMTP host if it accepts message relaying for anybody. The advertiser composes one new message, conveniently specifies thousands of recipients from a database, and then sends this message to your relaying host. The client’s job is quickly done. It is your SMTP host that has to do all the work of sending the unsolicited message to thousands of users over the Internet. Fortunately, Exchange 2000 Server does not allow anonymous relaying by default. To make sure it is disabled, open the Exchange System Manager snap-in, display the properties of your SMTP virtual server, click the Access tab, click Relay, and then, in the Relay Restrictions dialog box, make sure only authenticated users are able to relay messages.
You can also prevent the reception of unsolicited commercial messages with message filters. This is highly recommended, because delivering unnecessary Internet messages is a drain on your system resources. In addition, there is always a risk of receiving viruses contained in message attachments. To prevent the delivery of messages from specific sources, launch the Exchange System Manager snap-in. Display the properties of the Message Delivery object, which can be found under Global Settings. Click the Filtering tab, and then click Add to specify the senders that you want to filter out. As soon as a filter is defined, you can activate the filtering feature on your virtual server. Display its properties, then, in the General tab, click Advanced, edit the IP Address – TCP Port mapping, and select the Apply Filter check box. If a message is received with a sender e-mail address that matches a filter entry, the message is discarded.
It is also possible to block message reception from specific hosts, a range of computers, or entire SMTP domains. Display the properties of the SMTP virtual server one more time, click the Access tab, click Connection under Connection Control, and then, in the Connection dialog box, make sure the All Except The List Below option is selected. Click Add, and specify the unwanted computer’s IP address or a range of IP addresses. If you activate the Domain option, on the other hand, you need to specify a complete SMTP domain name, such as adventure-works.com. Remember that reverse DNS lookups must work for the DNS name; otherwise the server cannot obtain the IP addresses that should be denied access.
Exchange 2000 Server, specifically the FE/BE architecture, is perfectly suited for tiered firewall arrangements. In a nutshell, place the FE server in the DMZ, allow your users access to only this system through the outer firewall, and open the inner firewall only for incoming requests from the FE server. Your users can work with their mailboxes and public folders. The FE server relays the client communication through the inner firewall to an appropriate BE server, as explained in Chapter 8, "Designing Hosted Services with Microsoft Exchange 2000 Server." Users do not need to pass through to the corporate network directly.
Figure 9.7 illustrates the configuration of an outer firewall with static address mapping for the servers in the DMZ. OWA, IMAP4, and POP3 clients communicate with the FE server in encrypted form. Keep in mind that the latter two require an SMTP relay host to send messages. Optionally, you might also want to open TCP port 3269 to support SSL-based LDAP communication with Global Catalogs (GCs), but keep in mind that this can expose sensitive organizational information. IMAP4 and POP3 clients do not necessarily require access to the GC.
In an FE/BE configuration, users can only log on to Exchange 2000 Server using basic authentication mechanisms, which require the transmission of user name and password in clear text over the public network. Furthermore, communicating with FE servers and SMTP hosts in nonencrypted form allows eavesdroppers to intercept and read all messages. For these reasons, it is unacceptable to allow nonencrypted communication with FE systems across public networks. If you cannot deploy VPN connections or use IPSec to secure the client communication, you must enable and enforce SSL-based encryption on all protocol virtual servers and open only the SSL-specific ports on the firewall, as shown in Figure 9.7.
SSL relies on public key encryption. The encryption keys are automatically exchanged in the form of an X.509 certificate during the security handshake. Therefore, to enable the SSL-based encryption, you first need to install a server certificate in the virtual servers. Use the Internet Services Manager console for the default HTTP virtual server or the Exchange System Manager snap-in to install the server certificate. You can request a certificate from a CA on the Internet or use a private certificate server. Public key encryption is covered in more detail in Lesson 2.
Figure 9.7 - Internet connections to an FE server with static address mapping
You might also want to encrypt the communication from Internet-based messaging clients to the SMTP relay host, but the SMTP service of Exchange 2000 Server does not support SSL. Netscape has defined TCP port 465 for SSL-encrypted SMTP, but when you configure your IMAP4 or POP3 client to communicate by means of SSL, you will receive an error message indicating that the communication with the SMTP host failed. The Exchange 2000 SMTP service monitors TCP port 25 and only understands Transport Layer Security (TLS), which is a slightly different security protocol. Microsoft Outlook Express 5.0 and later versions support TLS to send messages in encrypted form via the Exchange 2000 SMTP service. If you need to support TLS-unaware clients, consider VPN connections or IPSec, or install an SMTP relay host in the DMZ that supports SSL-encrypted SMTP.
Note
Configuration of the inner firewall is more complex because you need to ensure that the FE server can communicate with all required systems in the corporate network, including BE servers, DCs, and GCs. Table 9.2 summarizes the required ports that you need to open between the DMZ and the internal network to allow FE servers to function properly.
Table 9.2 Required Ports for FE/BE Communication
Port | Transport | Service | Comments |
---|---|---|---|
25 | TCP | SMTP | You need to open this port to allow the SMTP relay host in the DMZ to communicate with at least one Exchange 2000 server in the private network. To increase security, you can require authentication between the servers. Another option is to use X.400 connectors instead of SMTP, which would require you to open TCP port 102 for X.400 over TCP. |
80 | TCP | HTTP | If users work with OWA, you need to open the default HTTP port. Keep in mind that SSL encryption or custom ports are not supported between FE and BE servers, as discussed in Chapter 8, "Designing Hosted Services with Microsoft Exchange 2000 Server." |
110 | TCP | POP3 | Same issues as with HTTP. Only the default port is available for FE/BE communication. |
143 | TCP | IMAP4 | Same issues as with HTTP. Only the default port is available for FE/BE communication. |
53 | TCP | DNS | The FE servers must be able to resolve the names of internal systems into their corresponding IP addresses, otherwise, communication with BE servers cannot take place. |
53 | UDP | DNS | Ideally, the FE servers can access an internal DNS server through the inner firewall to locate DCs and GCs and obtain all required IP addresses. If this is not possible, you need to specify the GCs in DSAccess Registry keys, as explained later. You also need to specify the IP addresses of all Exchange 2000 servers, DCs, and GC servers in the FE servers’ HOSTS file. Make sure that this information is always updated. Name resolution mechanisms are discussed in Chapter 3, "Assessing the Current Network Environment." |
389 3268 88 88 | TCP TCP TCP UDP | Active Directory (DC) Active Directory (GC) Kerberos authentication | FE machines must belong to the same organization as the BE servers and must authenticate themselves using their local system account to successfully communicate with the Active Directory service. Exchange 2000 Server performs this authentication via Kerberos, which is the native BE servers and must authenticate themselves using their local system account to successfully communicate with the Active Directory service. Exchange 2000 Server performs this authentication via Kerberos, which is the native authentication protocol of Windows 2000 Server. |
135 445 1024+ | TCP TCP TCP | RPC endpoint mapper Netlogon Dynamically assigned ports | To authenticate users, FE servers must be able to locate DCs and communicate with Active Directory via RPCs. RPC- based communication, however, uses dynamic port mappings by default. To determine the required endpoint, the FE server contacts the RPC endpoint mapper on the DC at the well-known TCP port 135, which returns the desired information. The RPC-based communication with Active Directory can then take place. Dynamic ports are difficult to handle in packet filters. Fortunately, you can configure a static TCP port for Active Directory. Use the Registry Editor to add a DWORD value called TCP/IP Port to the following location and define the desired port number in decimal format (if possible, assign a port number higher than 5000, because the system itself prefers to use the ports from 1024 to 5000 for dynamic assignments): HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \NTDS \Parameters |
Note
Cautious administrators might refuse to allow communication to the RPC endpoint mapper (TCP port 135) through the inner firewall because this might provide an avenue for denial-of-service attacks. However, if TCP port 135 is blocked, the FE server cannot communicate with Active Directory to authenticate users. Fortunately, it is easy to address this issue on the FE server. Disable any authentication mechanisms in the protocol virtual servers and enable anonymous access. This is not a security problem because the FE server does not contain any data and the BE server performs the authentication in any case. The user is unknown to the FE system, which prevents implicit Uniform Resource Locators (URLs) from working in OWA, but access to mailboxes is possible using explicit URLs. Access to public folders does work as discussed for alternate public folder hierarchies in Chapter 8, "Designing Hosted Services with Microsoft Exchange 2000 Server."
Note
More complicated is the DNS access situation. Security policies may disallow systems in the DMZ access to internal DNS servers, but FE servers must query DNS for service (SRV) records to locate DCs and GCs. If TCP and UDP ports 53 are closed on the inner firewall, you must manually provide a list of servers and specify IP addresses in the HOSTS file, as mentioned earlier.
To specify a DC for retrieving configuration information, create (or open) the following Registry key on each FE server, and configure a REG_SZ value called ConfigDCHostName as well as a REG_DWORD value called ConfigDCPortNumber. Set ConfigDCHostName to the fully qualified domain name (FQDN) of the host preceded by two backslashes, such as \\SRV-01-DC.adventure-works.com. Set the ConfigDCPortNumber value to 0x185. 0x185 is hexadecimal for 389, the TCP port number LDAP uses.
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \MSExchangeDSAccess \Instance0
To specify a GC for address book lookups, create (or open) the following Registry key, and configure a REG_SZ value called UserGC1 as well as two REG_DWORD values called PortNumber and IsGC. Set UserGC1 to the FQDN of the host preceded by two backslashes, such as \\SRV-01-GC.adventure-works.com. Set the PortNumber value to 0xCC4 and IsGC to 0x1 to identify the server as a GC.
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \MSExchangeDSAccess \Profiles \Default
Note
It is not possible to encrypt the communication between FE and BE servers using SSL. However, this does not mean that you cannot protect messages and data between the DMZ and the internal network. This might be required, for example, if inner network segments are considered insecure, in which case Microsoft recommends encrypting the communication using IPSec, provided that all servers are running Windows 2000 Server. Among other things, IPSec allows you to support RPC-based communication across the inner firewall without opening TCP port 135 for the RPC endpoint mapper.
IPSec is an Internet standard developed by the Internet Engineering Task Force (IETF) that defines two protocols for protection of data traffic. The first protocol, Authentication Headers (AH), provides authentication, integrity, and anti-replay protection. AH allows you to reliably authenticate computers and prevent tampering with data, but it doesn’t encrypt the information. The second protocol is Encapsulating Security Payload (ESP), which, as its name implies, encapsulates (and encrypts) the header information and the data included within the IP packets. When AH and ESP are combined, they provide authentication, integrity, and anti-replay protection, plus data encryption services. To secure the communication between the internal systems and the servers in the DMZ, you need to use ESP. The encapsulation of IP datagrams is transparent to the applications, such as the HTTP, IMAP4, or POP3 services. Applications are not aware of the encrypting and decrypting processes because it is handled within Windows 2000’s TCP/IP stack.
To enable IPSec, you need to apply security policies to the FE and BE servers by following these steps:
For BE servers, the Client (Respond Only) policy, included in Windows 2000 Server, is appropriate. Based on this policy, BE servers can respond to requests for IPSec communication from FE servers. Internal systems, such as MAPI-based clients, can continue to communicate with the BE servers in nonencrypted form (see Figure 9.8). On FE servers, on the other hand, you might want to use the Server (Request Security) policy, which stipulates that security is always requested for all IP traffic, but unsecured communication is allowed with systems that do not respond to the request. If this standard policy does not meet your requirements, use the IP Security Policy Management snap-in to create a custom IPSec policy. Microsoft provides a policy file specifically configured for FE servers, which you can download from Microsoft’s Web site (www.microsoft.com ). Search for the phrase "FEBE_SUP.EXE." You can read more about IPSec in the Windows 2000 Server product documentation.
Figure 9.8 - IPSec communication across the inner firewall
To support the communication between the DMZ and the internal network, allow the following IP protocols and UDP ports on the inner firewall:
Note
Recall that MAPI-based clients cannot benefit from FE/BE arrangements and always require direct connectivity to the mailbox and public folder servers. This is a problem if you want to support Outlook users over the Internet. Among other things, you would have to expose the BE servers to the public network by opening the TCP ports for RPC-based communication (that is, TCP port 135 and TCP ports 1024+) on both the inner and outer firewalls. Bear in mind that MAPI-based clients need direct RPC connectivity to a mailbox server and public folder servers and also to the GC.
To at least avoid opening all client ports (1024+), you can assign Active Directory and the Information Store static TCP ports. This was already explained for Active Directory. To assign the Information Store a static port, open the following key, add the TCP/IP Port DWORD value (note that there is a space between TCP/IP and Port), and specify a desired port number in decimal format (use a port number higher than 5000):
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \MSExchangeIS \ParametersSystem
You have to restart the Information Store for the changes to take effect.
Generally, organizations do not support MAPI-based communication through firewalls. Alternatives are the deployment of VPNs to support MAPI-based clients from remote locations, use of Terminal Services clients, or both. VPN connections provide a sufficient level of security without TCP port restrictions. Terminal Services clients, on the other hand, only need to communicate via TCP port 3389 with a Terminal Server.
Figure 9.9 shows an example of a combined VPN, Terminal Services, and Outlook 2000 solution. The user connects to the VPN server via PPTP, and when the VPN connection is established, he or she can connect to the Terminal Server. The user then launches Outlook 2000 on the Terminal Server and can access the mailbox server via the IPSec tunnel through the inner firewall.
Figure 9.9 - Supporting MAPI-based clients by means of VPNs and Terminal Services
Wide World Importers, introduced in Chapter 1, is a fictitious international corporation with headquarters in New York and 400 offices and agencies in 60 countries. Wide World Importers is one of the world’s leading steel importers, with 45,000 employees. The company has successfully upgraded all messaging systems in New York to Exchange 2000 Server and is now evaluating ways to provide mobile users, such as sales representatives, with a reliable and secure solution for remote access. "Our mobile users usually work with Outlook 2000 or Microsoft Outlook XP, but we also want to support Outlook Web Access over the Internet," says Barbara Hoffman, Senior Manager of the Information Systems Department. "This will allow our sales representatives to access information everywhere, such as on a kiosk computer in an airport, or on their cellular phones using the Microsoft Mobile Explorer Micro Browser. I have asked Peter Waxman, Head of Communications Technology, to design a secure solution for us."
Waxman suggested the following strategy to secure the New York Internet access point of Wide World Importers:
In this activity, you will decide how to implement secure Internet access points for two companies that plan to provide flexible access to Exchange 2000 resources. The companies are Northwind Traders and Proseware, Inc., introduced in Chapter 8, "Designing Hosted Services with Microsoft Exchange 2000 Server."
Tip
Northwind Traders has deployed Exchange 2000 Server in its data center in Los Angeles, California, and has configured numerous virtual messaging organizations for its trading centers all over the United States. Internally, the users in the data center work with Outlook XP. The trading centers, on the other hand, use only OWA for messaging. To support the users in each trading center, Northwind Traders has installed several FE servers in a load-balancing cluster and configured a separate HTTP virtual server for each virtual organization. Each trading center has its own Internet domain, which the data center has officially registered with the Internet authorities.
"Among other things, we have created virtual organizations to cut costs," says Mark Harrington, Head of Information Technology. "We cannot exceed the budget with an ambitious arrangement of firewalls. I don’t think Northwind Traders is an attractive target for Internet criminals."
It is your task to outline an appropriate firewall configuration for Northwind Traders:
Proseware, Inc. has installed 28 FE servers to support more than 350,000 private OWA users. According to Guy Gilbert, Head of IT Operations, security is a paramount goal at Proseware. "We have deployed a sophisticated infrastructure of firewalls to protect our front-end servers," he says. "The question is not how to provide access to these systems from the Internet. We use SSL and allow communication to the front-end servers only through TCP port 443. The question is how to achieve a secure communication to the back-end servers. We do not plan to support IPSec on the inner firewall, do not want to allow access to internal DNS servers, and by no means want to open port 135 on the firewalls to our internal network."
It is your task to outline an appropriate FE/BE communication strategy for Proseware, Inc.:
If you plan to connect an Exchange 2000 Server organization to the Internet, you have to manage a significant level of security risk, which requires you to deploy an infrastructure of firewalls. Firewalls and encryption technology are essential elements in securing communication over the Internet.
For optimal protection, establish a DMZ between the Internet and your internal network. At a minimum, this requires a firewall with three network cards. A more secure solution would include two or more dissimilar firewalls. You should only allow communication from the Internet to the systems in the DMZ, not to the internal systems. FE servers should be located in the DMZ. To provide adequate security, encrypt the communication over the Internet. Otherwise, user accounts, passwords, and messages are transmitted in clear text. If you do not want to enable SSL encryption, use a VPN or IPSec.
Configuration of the inner firewall is more complex because you need to ensure that the FE server can communicate with all required systems in the internal network. Depending on the configuration, FE servers may have contact with internal DNS servers, BE servers, DCs, and GCs. If internal DNS information is unavailable, you need to register a list of DCs and GCs as well as the IP addresses of all relevant servers manually on the FE servers. Furthermore, if FE servers are supposed to authenticate Internet users, RPC-based communication with Active Directory must work. If you cannot open the required ports on the inner firewall, disable the authentication or enable IPSec on the FE and internal servers and open the inner firewall for IPSec-encapsulated IP frames.