Re: Ex2K3 access through firewall
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 27 Jun 2005 10:26:42 -0400
In news:1FF1E888-9D29-4307-A202-5ACE5ABAEC10@xxxxxxxxxxxxx,
Mike Lawson <MikeLawson@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
> Would I be understanding this correctly if I say, 'it is physically
> impossible to connect a OL2K client running on W2K through a firewall
> to Ex2K3 running on W2K3 sitting on the DMZ'. If this statement is
> not true then there must be a list of ports that are required to be
> open to allow this.
Of course it's possible. It's just silly. It's no longer a DMZ if you open
up all those ports. Exchange does not belong in a DMZ. AD does not belong in
a DMZ (unless that's the only place it lives). That isn't what a DMZ is for.
>
> As for avoiding PST files; if the client uses OWA as a workaround for
> the Ex2K3 on the DMZ issue, how does he get an email out of his inbox
> to a public folder only he has access to? I tried it and got an error
> message in OWA - "Moving or copying items between Exchange servers is
> not supported".
How did you try it? I've never done this, so I'm not sure you can do it. OWA
isn't 100% like Outlook. It's just a lot better than it used to be (esp. in
E2003).
>
> VPN might be a good answer except this adds more steps that the end
> user has to perform and potential for problems when the user doesn't
> do something in the right order, etc. "I don't know. It just doesn't
> work. I did just what you said. Etc."
OK, so they can learn or use OWA, or you can get them a Blackberry, or they
can accept not get mail access when out of the office. There's a learning
curve for everything.
You can allow VPN access only from locked down corporate laptops which you
know how to support.
Or you can set up E2003 for RPC/HTTP, and then tell everyone they'll need
WinXP SP1/SP2 and OL2003 if they want to connect using Outlook at all.
>
> I need to keep the off site user the same as it is now. Bottom line -
> it is physically possible or not? If it is then what are the port
> numbers?
You already posted the KB article - that's all I know of. I don't do it, I
won't do it, and I don't recommend it. You are going to invite a heap o'
trouble onto your network. Sorry.
>
> Sorry/Thanks, Mike Lawson
>
> "Lanwench [MVP - Exchange]" wrote:
>
>>
>>
>> In news:DF21BE0F-6B7D-4F60-98FF-F357B44EBED9@xxxxxxxxxxxxx,
>> Mike Lawson <MikeLawson@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
>>> I understand, but I have W2K and WXP clients on the WAN side using
>>> Outlook 2K, XP, & 2K3. If RPC over HTTP only works with the
>>> E2K3/OL2K3/WXP combo; what is to be done with clients that don't use
>>> this combination?
>>
>> VPN, OWA.
>>
>>> If I put the Ex2K3 server either on the LAN or DMZ
>>> I still have to open ports for the non-RPC over HTTP users to get to
>>> Ex2K3.
>>
>> Yes, but your Exchange server does not belong in a DMZ. You have to
>> open up too many ports between DMZ and LAN to make it work - so you
>> don't even have a DMZ anymore.
>>
>>> OWA doesn't look like a possibility since many of these same
>>> users archive data to .pst files which aren't accesssible via OWA.
>>
>> Not a good idea anyway. Avoid PST files. If the data is important, it
>> belongs in the mailbox - or perhaps in an archive folder you set up
>> for them in the PF tree.
>>
>>>
>>> And since every user doesn't have a high speed connection VPN would
>>> be a dog for connectivity. There has got to be a reasonable
>>> alternative.
>>
>> POP or IMAP....but I don't recommend it; they don't get the full
>> mailbox, GAL, PFs, etc. If they don't all have broadband, and can't
>> get it, it's just not going to be fun for them, no matter what.
>> OL2003 in cached mode makes life a lot easier regardless of how one
>> connects.
>>
>> Thanks, Mike Lawson
>>>
>>> "Lanwench [MVP - Exchange]" wrote:
>>>
>>>>
>>>>
>>>> In news:F9110FA7-DB5B-4D38-95D0-1842CCF0821E@xxxxxxxxxxxxx,
>>>> Mike Lawson <MikeLawson@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
>>>>> Scenario: Ex2K3 on W2K3 on firewall DMZ. The users are wan and lan
>>>>> based. Clients use Outlook 2000, XP, & 2003 running on W2K or
>>>>> WinXP. Wan clients need access to Ex2K3 on DMZ.
>>>>>
>>>>> What ports do I need to open on the firewall in order for the
>>>>> various Outlook clients running on the two different OSs to have
>>>>> access to Ex2K3 in order to connect as Exchange corp clients? I've
>>>>> seen several similar posts that refer to documents on RPC over
>>>>> HTTP, but then the article says this is a WinXP feature ("RPC over
>>>>> HTTP on the client-side is a Windows XP feature"); so this config
>>>>> would not help the W2K OS clients.
>>>>>
>>>>> Thanks, Mike Lawson
>>>>
>>>> VPN, or RPC over HTTP (which works with E2003 and OL2003 on WinXP
>>>> SP1/SP2 only).
>>>>
>>>> Don't just open ports. Seriously. Also, I do not recommend that you
>>>> have your Exchange server in a DMZ....you're defeating the purpose
>>>> of a DMZ by doing this. Stick the server behind the firewall and
>>>> control access to it therein.
.
- References:
- Ex2K3 access through firewall
- From: Mike Lawson
- Re: Ex2K3 access through firewall
- From: Lanwench [MVP - Exchange]
- Re: Ex2K3 access through firewall
- From: Mike Lawson
- Re: Ex2K3 access through firewall
- From: Lanwench [MVP - Exchange]
- Re: Ex2K3 access through firewall
- From: Mike Lawson
- Ex2K3 access through firewall
- Prev by Date: Out of office - Exchange 2003
- Next by Date: Re: Can connect to OWA logon screen, but hangs.
- Previous by thread: Re: Ex2K3 access through firewall
- Next by thread: SQL & Exchange
- Index(es):
Relevant Pages
|
