Securing Exchange MAPI Access

The Message Application Programming Interface (MAPI) has traditionally been used for communications between the client and an Exchange server. This type of traffic is highly functional, but can pose a security threat to an Exchange server because it requires the use of the dangerous Remote Procedure Call (RPC) protocol, which has become notorious through recent exploits that take advantage of the open nature of the RPC protocol to take over services on poorly coded services.

In the past, organizations have been handcuffed by the fact that blocking RPC requires blocking a huge range of ports (all dynamic ports from 1024 to 65,536, plus others) because of the dynamic nature in which RPC works. Blocking RPC access to an Exchange server was not feasible either. This type of block would also block client access through MAPI, effectively crippling email access to an Exchange server.

ISA Server 2004 greatly simplifies and secures this process through its capability to filter RPC traffic for specific services, dynamically opening only those ports that are negotiated for use with MAPI access itself. This greatly limits the types of exploits that can take advantage of an Exchange server that is protected with MAPI filtering techniques.

Configuring MAPI RPC Filtering Rules

To configure an ISA Server to filter and allow only MAPI access across particular network segments, use the following technique:


From the ISA console, navigate to the Firewall Policy node in the console tree.


In the Tasks tab, click on the link for Publish a Mail Server.


Enter a name for the rule, such as MAPI Access from Clients Network, and click Next.


Select Client Access from the list of access types and click Next.


Check the box for Outlook (RPC), as shown in Figure 13.18, and click Next to continue.

Figure 13.18. Enabling a MAPI filtering rule.


Enter the IP address of the Exchange server that is to be published and click Next.


Select from which networks the rule will listen to requests, and click Next to continue.


Click Finish, Apply, and OK.

To set up more advanced MAPI filtering, examine the Traffic tab of the rule that was created and click on Filtering, Configure Exchange RPC and/or the Properties buttons, and finally choosing the Interface tab. Advanced settings, such as which UUIDs to allow, can be found here, as shown in Figure 13.19.

Figure 13.19. Examining advanced MAPI filtering.

Deploying MAPI Filtering Across Network Segments

Where MAPI filtering really shines is in scenarios where the ISA Server is used to protect a server's network from the clients network in an organization, similar to what is shown in Figure 13.20.

Figure 13.20. Isolating and securing an Exchange environment behind an internal ISA firewall.

In these scenarios, the ISA Server acts as an Exchange firewall, providing secured mail, OWA, POP, and any other necessary services to the ISA Server through a secured, Application-layer filtered environment. This type of deployment scenario is very useful for organizations that want to reduce the exposure to security threats faced from unruly or exploited clients. It allows for a great degree of control over what type of access to an Exchange environment can be set up.

    Microsoft Internet Security and Acceleration ISA Server 2004 Unleashed
    Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
    ISBN: 067232718X
    EAN: 2147483647
    Year: 2005
    Pages: 216
    Authors: Michael Noel

    Similar book on Amazon © 2008-2017.
    If you may any questions please contact us: