Re: VPN-Zugrigg auf Ex2k schlägt fehlt

From: "Daniel Melanchthon [MSFT]" <danielme@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 05 May 2005 18:05:44 +0200

Karsten Hoeller schrieb:

auf der gateProtect-Firewall sind folgende Ports ein- und ausgehend für Exchange freigegeben:

Da fehlt zumindestens Port 135 - der RPC Endpointmapper. Schau Dir mal folgenden Webcast an, darin ist erklärt, wie es geht:

Support WebCast: Microsoft Exchange 2000 Server Connectivity Through a Firewall
http://support.microsoft.com/kb/324459/EN-US/

Zitat: "First off, our MAPI client has to be able to talk to the end-point mapper. That's TCP port 135 on Exchange servers and domain controllers. The reason it needs to do this on domain controllers is with Exchange 2000, Outlook 98, Outlook 2000, and Outlook 2002, we're going to talk directly to a domain controller if we can, to poll directory information. It saves us from having to go to the Exchange server and having the Exchange server proxy. So we have to be able to get to TCP port 135.

The other piece is NSPI, or we called it Directory Service in Exchange 5.5; we kept it simple, Name Service Provider Interface is what NSPI stands for, and that's, once again, what we're going to use to talk to the directory. This is going to be on DCs and Exchange servers, whichever one the client decides to use. By default, RPC is a dynamic port protocol. It can talk over any ports. We want to give it this ability, just because it was handy when we were using it on LAN. When we start talking through firewalls, it's not as easy to use dynamic ports, just because we have to open up a huge range. This can be statically mapped on our domain controllers or Exchange servers. You're going to do it in the registry. We provided the KB article down at the bottom, "Exchange 2000 Static Port Mappings," Q270836. This is going to discuss any statically mapped ports we're going to need to set to get Exchange working through a firewall.

We have another port (slide 12). We have end-point mapper and directory. We're going to have to talk to the Information Store, though. We're going to have to get our mailbox and public folder data. This port is only going to have to be statically mapped on Exchange 2000 servers, our mailbox, and public folder servers. Keep in mind, we're going to want to do this on every mailbox and public folder server. Mailboxes aren't as important. Public folder servers are very important because a client may have to get data from some remote public folder server. We're going to need to have that statically mapped.

The last topic here is push notification. In the past with push notification, it was new mail notification. This is when you get the bold item in your inbox, and when you get the little message down at the bottom of your screen that says, "You have new mail." What we've done in the past is we've used the UDP packet. The client registers a port with the socket and is going to have to give the IP address and a port. The server is going to send a little UDP packet to that client whenever new mail arrives. This poses an issue for firewalls, because what that means is, for an administrator, they have to open up UDP outbound over all ports. They can't keep it specific to a session because, in this case, the client doesn't establish a TCP session, it's a simple UDP connectionless packet that goes through the firewall from your Exchange server to the Internet.

This may not be a big concern if you're not concerned about protecting outbound communications, but this has become a concern. We have a KB article listed for Outlook 2002, Q305572; we can use push notification. That can also be done in Outlook 2000 as well as Outlook 2002. Once again, you have your link to the Exchange 2000 static port mappings for the Directory Service."

--
..:Daniel Melanchthon:.
Technologieberater - Exchange Server
http://blogs.technet.com/dmelanchthon
This posting is provided "AS IS" with no warranties, and confers no rights.
.

Follow-Ups:
- Re: VPN-Zugrigg auf Ex2k schlägt fehlt
  - From: Karsten Hoeller

References:
- VPN-Zugrigg auf Ex2k schlägt fehlt
  - From: Karsten Hoeller
- Re: VPN-Zugrigg auf Ex2k schlägt fehlt
  - From: Daniel Melanchthon [MSFT]
- Re: VPN-Zugrigg auf Ex2k schlägt fehlt
  - From: Karsten Hoeller

Prev by Date: Re: Storage-Konzept
Next by Date: Postfach und Mails von dem Postmaster
Previous by thread: Re: VPN-Zugrigg auf Ex2k schlägt fehlt
Next by thread: Re: VPN-Zugrigg auf Ex2k schlägt fehlt
Index(es):
- Date
- Thread

Relevant Pages

RE: Outlook trying to connect.......
... does outlook client connect to exchange server ...
(microsoft.public.windows.server.sbs)
RE: Outlook not Sending External Mail
... Please follow the wizard to install the updates for all Exchange components. ... Delivery status notifications in Exchange Server and in Small Business Server ... This posting is provided "AS IS" with no warranties, ... >This client originally used POP3 Mail from our public Web URL, ...
(microsoft.public.windows.server.sbs)
Re: Exchange 2003 - Problem: Internal forwarding of external e-mail
... Exchange is set as primary / Exchange is set ... mail is received by the internal client ... rather than through the Exchange server. ... a new e-mail for the internal recipient the e-mail goes fine. ...
(microsoft.public.exchange.admin)
Re: Excessive Event ID 9646 in Exchange 2003
... I'd suspect an application in the client environment. ... On the Exchange 2003 computer, click Start, click Run, type regedit ... If you use Outlook 2007 to connect your Exchange server, ... This newsgroup only focuses on SBS technical issues. ...
(microsoft.public.exchange.admin)
Re: RPC on Single Exchange Server, not a GC server
... client is becoming confused somehow, but I don't have any suggestions. ... with the proxy settings configured to the FQDN of our Exchange ... connection that will work at that point is straight IP. ... The netbios name of the exchange server is resolved properly, ...
(microsoft.public.exchange.admin)