Re: Exch2003 front-end questions

From: Thomas W Shinder [MVP] (tshinder_at_hotmail.com)
Date: 12/06/04

• Next message: A P: "Best Detection Tool Against Spyware"
• Previous message: Thomas W Shinder [MVP]: "Re: ISA 2004 Network Config"
• In reply to: Marlon Brown: "Re: Exch2003 front-end questions"
• Messages sorted by: [ date ] [ thread ]

Date: Sun, 5 Dec 2004 18:11:18 -0600

Hi Marlon,

The ISA/Exchange Kit docs have all you need to know about putting the FE in
a DMZ.

HTH,

-- 
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
"Marlon Brown" <marlon_brown@hotmail.com> wrote in message
news:e1p4G7u1EHA.3324@tk2msftngp13.phx.gbl...
: BBII think the article confirms that. Never mind.
: Basic Protocols
: In all cases, all the supported protocol ports must be open on the inner
: firewall. The SSL ports do not need to be open because SSL is not used in
: communication between the front-end server and the back-end servers. Table
3
: lists the ports required for the intranet firewall. These ports are
specific
: to inbound traffic (from the front-end server to the back-end servers).
:
:
:
: Table 3   Protocol ports required for the intranet firewall
:
:       Intranet Firewall-Mail Protocols
:
:       Port number/transport
:      Protocol
:
:       80/TCP inbound
:      HTTP
:
:       143/TCP inbound
:      IMAP
:
:       110/TCP inbound
:      POP
:
:       25/TCP inbound
:       691/TCP
:      SMTP
:       Link State Algorithm routing
:
:
:
:
: Note
: In Table 3, "Inbound" means that the firewall should be configured to
allow
: computers in the perimeter network, such as the advanced firewall server,
to
: initiate connections to the front-end server on the corporate network. The
: front-end server never has to initiate connections to the computers in the
: perimeter network; the front-end server only responds to connections
: initiated by the computers in the perimeter network.
:
:
:
: Active Directory Communication
: To communicate with Active Directory, the Exchange front-end server
requires
: LDAP ports to be open. Both TCP and UDP are required: Windows on the
: front-end server will send a 389/UDP LDAP request to a domain controller
to
: check if it is available for use; the LDAP traffic after that uses TCP.
: Windows Kerberos authentication is also used; therefore, the Kerberos
ports
: must also be open. Both TCP and UDP are required for Kerberos as well:
: Windows uses UDP/88 by default, but when the data is larger than the
maximum
: packet size for UDP, it uses TCP. Table 4 lists the ports required for
: communicating with Active Directory.
:
:
:
:
:
: Table 4   Ports required for Active Directory communication and Kerberos
:
:       Intranet Firewall-Active Directory Communication
:
:       Port number/transport
:      Protocol
:
:       389/TCP
:      LDAP to Directory Service
:
:       389/UDP
:
:       3268/TCP
:      LDAP to Global Catalog Server
:
:       88/TCP
:      Kerberos authentication
:
:       88/UDP
:
:
:
:
: There are two sets of optional ports that can be opened in the firewall.
The
: decision to open them depends on the policies of the corporation. Each
: decision involves tradeoffs in the areas of security, ease of
: administration, and functionality.
:
: Domain Name Service (DNS)
: The front-end server needs access to a DNS server to correctly look up
: server names (for example, to convert server names to IP addresses) Table
5
: lists the ports required for access.
:
: If you do not want to open these ports, you must install a DNS server on
the
: front-end server and enter the appropriate name to IP mappings for all of
: the servers it might need to contact. If you choose to install a DNS
server,
: be sure to keep these mappings up-to-date when changes are made to the
: organization.
:
:
:
: Table 5    Ports required for access to DNS server
:
:       Intranet Firewall-DNS
:
:       Port number/transport
:      Protocol
:
:       53/TCP
:      DNS Lookup
:
:       53/UDP
:
:
:
:
: Note
: Most services use UDP for DNS lookups and only use TCP when the query is
: larger than the maximum packet size. The Exchange SMTP service, however,
: uses TCP by default for DNS lookups. For more information, see Microsoft
: Knowledge Base article 263237, "XCON: Windows 2000 and Exchange 2000 SMTP
: Use TCP DNS Queries"
: (http://go.microsoft.com/fwlink/?LinkID=3052&kbID=263237).
:
:
:
: IPSec
: Table 6 lists the requirements for allowing IPSec traffic across the
: intranet firewall. You only need to allow the port that applies to the
: protocol you configure; for example, if you choose to use ESP, it is only
: necessary to allow IP protocol 50 across the firewall.
:
:
:
: Table 6   Ports required for IPSec
:
:       Intranet Firewall-IPSec
:
:       Port number/transport
:       Protocol
:
:       IP protocol 51
:       Authentication Header (AH)
:
:       IP protocol 50
:       Encapsulating Security Payload (ESP)
:
:       500/UDP
:       Internet Key Exchange (IKE)
:
:       88/TCP
:       Kerberos ()
:
:       88/UDP
:
:
:
:
: Remote Procedure Calls (RPCs)
: DSAccess no longer uses RPCs to perform Active Directory service
discovery.
: However, if your front-end server is configured to authenticate requests,
: IIS must still have RPC access to Active Directory in order to
authenticate
: the requests. Therefore, you must open the RPC ports that are listed in
: Table
: "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
: news:e2jv1dl1EHA.1300@TK2MSFTNGP14.phx.gbl...
: > I had a network security folk today that told me something that I am not
: > sure if it is correct and I would like to confirm:
: >
: > Imagine you have a OWA 2003 (front-end) server in the DMZ. As far as I
: know,
: > in order to allow the communication from the OWA 2003 to the back-end
: > Exchange 2003 servers (that are in the internal network), I would need
to
: > open ports 3268, 389 and 53.
: >
: > Then the network security guy is saying that on Exchange 2003, the
: front-end
: > configuration with the OWA in the DMZ shouldn't require such need to
open
: > the ports to allow communication to the internal back-end servers. He
said
: > that should be the case only in Exchange 2000. I think that is
incorrect,
: > but I would like to confirm that to make sure.
: >
: >
:
:

• Next message: A P: "Best Detection Tool Against Spyware"
• Previous message: Thomas W Shinder [MVP]: "Re: ISA 2004 Network Config"
• In reply to: Marlon Brown: "Re: Exch2003 front-end questions"
• Messages sorted by: [ date ] [ thread ]

Relevant Pages Re: Exch2003 front-end questions ... all the supported protocol ports must be open on the inner ... to inbound traffic (from the front-end server to the back-end servers). ... (microsoft.public.isa) Re: server loses connection ... I'm not at a server at the moment. ... I always create a protocol for each port. ... call them and find out which ports also have to ... Ethernet adapter Local Area Connection: ... (microsoft.public.windows.server.sbs) Re: ZoneAlarm blocks FTP apps ... > packet from any computer using whatever protocol. ... > channel) using different ports and that there are two possibilities ... > are handled and set up between client and server. ... (comp.security.firewalls) Re: What Port Should I Use? ... RFCs are interesting standards. ... the file servers have about 60 ports in use. ... The print server has two. ... And my server is using a proprietary protocol that I ... (comp.os.linux.networking) Port Assignment- OT in a Small Way ... 5:RJE - Remote Job Entry ... 18:MSP - Message Send Protocol ... server, Traitor 21, WebEx, WinCrash, NerTe, ... 22:SSH - SSH Remote Login Protocol, RAT: Shaft ... (comp.security.misc)

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint