RE: Unhappy remote clients
- From: "Jeff Bushberg" <jeff@xxxxxxxxx>
- To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
- Date: Thu, 18 Sep 2003 06:53:55 -0700
One quick question.
If I am publishing a exchange server through ISA does the exchange
Gateway have to be the lan port of ISA server. Or can I simply
Use route add command to route to wan subnet of ISA server.
Don't forget fries and a coke (:
Thanks again, Jeff
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Monday, September 15, 2003 10:28 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Hi Jeff,
Thanks! I'm finishing up on the Outlook 2000 client article and it
should be done sometime tonight or early tomorrow morning. I'll post the
link on this mailing list when it ready.
I'll have a cheeseburger for lunch :-)
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jeff Bushberg [mailto:jeff@xxxxxxxxx]
Sent: Tuesday, September 16, 2003 12:26 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Thanks for your help, I bought your book, have lunch on me
Thanks Jeff
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Monday, September 15, 2003 10:04 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Hi Jeff,
To make things completely transparent to those users, you'll need a
split DNS. However, there's no problem using the DNS server at your ISP
to provide the public DNS support.
For example, you configure the client to use mail.domain.com as its
Exchange Server. When the Outlook client is connected to an external
network, mail.domain.com resolves to the external address on the ISA
firewall that you've used in your secure Exchange RPC Publishing rule.
When the Outlook client is connected to the internal network,
mail.domain.com resolves to the address the Exchange Server uses on the
internal network.
The example shows the advantages of using the same name for public and
private resources. This allows completely transparency for machines that
move between the private network and remote locations. If you don't use
the same domain name for internal and externally accessible resources,
your users have to reconfigure their clients depending on their
location, and you know how unfun that can be :-)
I'm finishing up an article today on how to configure the Outlook 2000
client. I'll post it to the list tonight.
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jeff Bushberg [mailto:jeff@xxxxxxxxx]
Sent: Sunday, September 14, 2003 11:57 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Hello Tom
Most of my clients are outlook 2000. Do I need to have a external DNS
server? Or can I use regular ISP dns servers. Or can I map with Lmhosts.
Thanks for all the suggestions !
Jeff
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Sunday, September 14, 2003 8:40 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Hi Jeff,
No Protocol Rules required. The ISA firewall will dynamically open
outbound filters to allow the Exchange Server to respond to the incoming
requests.
Another thing to keep in mind is that no only does the RPC publishing
rule allow for temporary and exclusive opening of the required ports, it
also enforces valid Exchange RPC commands. The RPC worms out there can
try as much as they like, but they won't be able to touch your Exchange
Server through the RPC publishing rule, because the filter whacks 'em.
When packet filtering is enabled, the ISA firewall does not allow
connections to ports that you don't explicitly allow inbound access to.
I get thousands of hits a day from port probers and the like, but they
only access what I've allowed inbound access to. Of course, you have to
harden the servers that you allow inbound access to, but they need to be
hardened anyhow, because the majority of hacks take place from hosts
that are already behind the firewall.
For RPC publishing, make sure your public DNS supports the connections.
Why version of Outlook are your external clients using?
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jeff Bushberg [mailto:jeff@xxxxxxxxx]
Sent: Sunday, September 14, 2003 9:07 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Hello Tom
So exchange opens a lot of short lived temporary ports in its
communication. So in setting up the ISA server 1. Forward all traffic
from sonic to ISA external interface 2. Publish internal exchange server
3. Do I need to configure outbound RPC protocol rules
Also have you successfully blocked hackers with one ISA server? Also
what reports have you found to be usefull?
Thanks Jeff
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Sunday, September 14, 2003 4:21 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Hi Jeff,
Actually, you bring up a good point. If you have an ISA in front of the
ISA, then you would have a nice two layers of protection, and then you
could provide limit inbound Exchange RPC from the external ISA to the
internal ISA. The problem is that sonicwall doesn't have an intelligent
RPC filter, so there's no secure way to forward a limited number of
ports because of the ephemeral ports required by RPC. The RPC filter on
ISA manages the connecitons, allows on valid commands, and only opens
ports on an "as needed" or stateful basis.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jeff Bushberg [mailto:jeff@xxxxxxxxx]
Sent: Sunday, September 14, 2003 4:59 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
If you open all ports and forward all traffic to ISA server Isn't that
opening up possible exploits against ISA server. Wouldn't it be better
to forward all necessary port traffic
To ISA server. Also I have been looking for a better firewall One that
analyze at layer 7 and has reports that are easy To track unapproved
traffic qnd has alert notification.
In fact that is why I am now testing ISA server.
Thanks Jeff
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Sunday, September 14, 2003 10:22 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Hi Jeff,
Sonicwall can't provide secure Exchange RPC access for your remote
Outlook clients. For a secure setup, you need to forward all traffic to
the ISA firewall and allow ISA to do the firewalling. Sonicwall is just
a tradition packet filtering NAT router and can't provide the layer 7
intelligence required to secure the Outlook/Exchange RPC transactions
properly.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jeff Bushberg [mailto:jeff@xxxxxxxxx]
Sent: Sunday, September 14, 2003 10:40 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
I have been testing ISA server. Do you have to open any other ports?
Also I am behind a sonicwall firewall so I will nat or forward ports to
ISA server wan interface. But is there any other points for
configuration I should consider. I saw the wizard that connects the ISA
server to exchange is there any other ISA server configuration.
Thanks Jeff
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Saturday, September 13, 2003 11:32 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Hi Jeff,
I've enabled ISA Server secure Exchange RPC publishing for several city
and county govts, and it works a treat. The only issue it getting the
ISPs to open TCP 135, but that's getting to get less of a problem now
that the worm hysteria is settling down.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jeff Bushberg [mailto:jeff@xxxxxxxxx]
Sent: Saturday, September 13, 2003 10:48 AM
To: [ExchangeList]
Subject: [exchangelist] Unhappy remote clients
http://www.MSExchange.org/
I have users that connect to exchange remotely through VPN. I
have tried using OST files but notice when exchange synchronizes the OST
file it Takes too long, not fast enough for slow connections. I noticed
there are some settings in 2002 outlook client For send and receive
groups that may be useful. Was wondering if some has a system for remote
access that works great with large email accounts. I know about OWA ,
but my clients prefer using there normal outlook interface. Is there a
way to connect to exchange remotely with out synchronizing and collect
only new email. I am using IMAP now but was hoping for a solution for
outlook exchange client. Also any suggestions On minimum bandwidth
requirements to implement successful remote VPN exchange access.
Thanks for any help
Jeff
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
jeff@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
jeff@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
jeff@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
jeff@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
jeff@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
jeff@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
