The Message Application Programming Interface (MAPI) has traditionally been used for communications between the client and an Exchange server. This type of traffic is highly functional, but can pose a security threat to an Exchange server because it requires the use of the dangerous Remote Procedure Call (RPC) protocol, which has become notorious through recent exploits that take advantage of the open nature of the RPC protocol to take over services on poorly coded services.
In the past, organizations have been handcuffed by the fact that blocking RPC requires blocking a huge range of ports (all dynamic ports from 1024 to 65,536, plus others) because of the dynamic nature in which RPC works. Blocking RPC access to an Exchange server was not feasible either. This type of block would also block client access through MAPI, effectively crippling email access to an Exchange server.
ISA Server 2004 greatly simplifies and secures this process through its capability to filter RPC traffic for specific services, dynamically opening only those ports that are negotiated for use with MAPI access itself. This greatly limits the types of exploits that can take advantage of an Exchange server that is protected with MAPI filtering techniques.
Configuring MAPI RPC Filtering Rules
To configure an ISA Server to filter and allow only MAPI access across particular network segments, use the following technique:
To set up more advanced MAPI filtering, examine the Traffic tab of the rule that was created and click on Filtering, Configure Exchange RPC and/or the Properties buttons, and finally choosing the Interface tab. Advanced settings, such as which UUIDs to allow, can be found here, as shown in Figure 13.19.
Figure 13.19. Examining advanced MAPI filtering.
Deploying MAPI Filtering Across Network Segments
Where MAPI filtering really shines is in scenarios where the ISA Server is used to protect a server's network from the clients network in an organization, similar to what is shown in Figure 13.20.
Figure 13.20. Isolating and securing an Exchange environment behind an internal ISA firewall.
In these scenarios, the ISA Server acts as an Exchange firewall, providing secured mail, OWA, POP, and any other necessary services to the ISA Server through a secured, Application-layer filtered environment. This type of deployment scenario is very useful for organizations that want to reduce the exposure to security threats faced from unruly or exploited clients. It allows for a great degree of control over what type of access to an Exchange environment can be set up.