Re: Exchange ports through firewall?

I take there are too many ports to open if we use the full client method?


"Bharat Suneja [MSFT]" <bharat@xxxxxxxxxxxxxxxxxxxx> wrote in message news:OIbQD4V0IHA.3884@xxxxxxxxxxxxxxxxxxxxxxx
- Registry entries can be pushed using GPOs. Take a look at:
Using Administrative Template Files with Registry-Based Group Policy
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/admtgp.mspx

- Security does come at a cost... in this case if you want to provide clients RPC/MAPI access across a firewall, you can restrict clients and server to a narrower range of ports, or alternatively open a lot more ports on the firewall.
- Again, it's not a recommended deployment - I would consider RPC over HTTP(S)/Outlook Anywhere.
--
Bharat Suneja
Microsoft Corporation
blog: exchangepedia.com/blog

This posting is provided "AS IS" with no warranties, and confers no
rights. Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
------------------------------------------


"Cyborg" <apollo13@xxxxxxxxxxxxxx> wrote in message news:313FBA31-E881-42C9-A002-CD74A0317E75@xxxxxxxxxxxxxxxx
Can this be changed for 1000's of PC's easily though?


"Bharat Suneja [MSFT]" <bharat@xxxxxxxxxxxxxxxxxxxx> wrote in message news:%23TGklQV0IHA.416@xxxxxxxxxxxxxxxxxxxxxxx
- One alternative is to use Outlook Anywhere (RPC over HTTP in Exchange 2003) and restrict client connections to a single port (HTTPS).
- The following KBA and others listed in its References section have the information you're looking for about Outlook/MAPI client connectivity to Exchange:
Exchange Server static port mappings
http://support.microsoft.com/kb/270836
--
Bharat Suneja
Microsoft Corporation
blog: exchangepedia.com/blog

This posting is provided "AS IS" with no warranties, and confers no
rights. Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
------------------------------------------


"Cyborg" <apollo13@xxxxxxxxxxxxxx> wrote in message news:D15A7EDA-ACD5-4AD5-81E6-B91DD58AB7C8@xxxxxxxxxxxxxxxx
Well I would like that, but when you have 1000's of users and LAN users are some of the biggests threats it's a good idea. Plus Cisco firewall have IPS to stop worms/virues etc, this design was recommended my a huge IT consultantcy company.

I've left it at IP any any rule so it's as there is no firewall, but atleast the IPS is picking up the "interested" traffic.

I've managed to dall all the other server like the DC's, Fileservers etc, just Exchange is a pain.


"RobM" <roke-it@xxxxxxxxxxxxxxxx> wrote in message news:585E482A-C147-4BA5-B480-72BEEE174ABD@xxxxxxxxxxxxxxxx
You're making life very difficult for yourself (and not really achieving much
in the way of security) - Windows authentication, file access, Exchange
access will require RPC , which is not really firewall friendly. Put a good,
properly configured firewall on your perimeter, and don't complicate things
by putting them where they're not really going to do much good.

"Cyborg" wrote:

Hi,

All our servers are on their own subnet, however there will be a firewall
installed between the servers subnet and the LAN users. Can someone list
the UDP/TCP required and whether inbound or outbound to and from the LAN?

I can only think inbound from LAN to the server subnet need to be opened?

Thanks






.

Relevant Pages

  • RE: OWA page not displayed Outside
    ... Open ISA 2006 management console. ... Expand the server node and highlight 'Monitoring'. ... Click 'Configure Firewall Logging'. ... |> internal client as both the web proxy client and firewall client? ...
    (microsoft.public.windows.server.sbs)
  • Re: Small business thinking about backing up data, having a server and 2-3 users - is SBS200
    ... is networked to the Master with a crossover network cable. ... Master on the Master PC and Client on the Slave pc. ... Since this machine is a server is should handle the requests ok ... Most real firewall appliances have HTTP and SMTP proxy services that allow ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA firewall block outgoing email.
    ... I cannot send/receive email to the POP3 account unless I turn off the firewall in the CEICW. ... (This server is behind a router so I felt the test was safe enough to turn off the firewall). ... As I said, there is no need to add a hole for port 110, If the ISA client is installed on the workstation, Outlook will deliver the email. ...
    (microsoft.public.windows.server.sbs)
  • Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
    ... > fairly tight(only allowing 4 ports in), but perhaps I could tighten it ... The host systems firewall rules govern the access to the jailed system. ... What connections does your server need to ... Perhaps there is a 0-day for your ftp server out there. ...
    (Incidents)
  • Re: SBS VPN setup?
    ... And I'm reviewing if I need to do client notifications at that point. ... You purchase 2k3 PREMIUM and that comes with ISA to handle the firewall duties. ... SBS plugs into a switch with the other computers and the switch is plugged into a firewall appliance with 2-nics. ... To compare apples to apples, let us assume there is a network setup as I outlined above...and the firewall appliance is an ISA server, such as those available from Celestix. ...
    (microsoft.public.windows.server.sbs)
Loading