One quick question. If I am publishing a exchange server through ISA does the exchange Gateway have to be the lan port of ISA server. Or can I simply Use route add command to route to wan subnet of ISA server. Don't forget fries and a coke (: Thanks again, Jeff -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Monday, September 15, 2003 10:28 PM To: [ExchangeList] Subject: [exchangelist] RE: Unhappy remote clients http://www.MSExchange.org/ Hi Jeff, Thanks! I'm finishing up on the Outlook 2000 client article and it should be done sometime tonight or early tomorrow morning. I'll post the link on this mailing list when it ready. I'll have a cheeseburger for lunch :-) Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jeff Bushberg [mailto:jeff@xxxxxxxxx] Sent: Tuesday, September 16, 2003 12:26 AM To: [ExchangeList] Subject: [exchangelist] RE: Unhappy remote clients http://www.MSExchange.org/ Thanks for your help, I bought your book, have lunch on me Thanks Jeff -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Monday, September 15, 2003 10:04 AM To: [ExchangeList] Subject: [exchangelist] RE: Unhappy remote clients http://www.MSExchange.org/ Hi Jeff, To make things completely transparent to those users, you'll need a split DNS. However, there's no problem using the DNS server at your ISP to provide the public DNS support. For example, you configure the client to use mail.domain.com as its Exchange Server. When the Outlook client is connected to an external network, mail.domain.com resolves to the external address on the ISA firewall that you've used in your secure Exchange RPC Publishing rule. When the Outlook client is connected to the internal network, mail.domain.com resolves to the address the Exchange Server uses on the internal network. The example shows the advantages of using the same name for public and private resources. This allows completely transparency for machines that move between the private network and remote locations. If you don't use the same domain name for internal and externally accessible resources, your users have to reconfigure their clients depending on their location, and you know how unfun that can be :-) I'm finishing up an article today on how to configure the Outlook 2000 client. I'll post it to the list tonight. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jeff Bushberg [mailto:jeff@xxxxxxxxx] Sent: Sunday, September 14, 2003 11:57 PM To: [ExchangeList] Subject: [exchangelist] RE: Unhappy remote clients http://www.MSExchange.org/ Hello Tom Most of my clients are outlook 2000. Do I need to have a external DNS server? Or can I use regular ISP dns servers. Or can I map with Lmhosts. Thanks for all the suggestions ! Jeff -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Sunday, September 14, 2003 8:40 PM To: [ExchangeList] Subject: [exchangelist] RE: Unhappy remote clients http://www.MSExchange.org/ Hi Jeff, No Protocol Rules required. The ISA firewall will dynamically open outbound filters to allow the Exchange Server to respond to the incoming requests. Another thing to keep in mind is that no only does the RPC publishing rule allow for temporary and exclusive opening of the required ports, it also enforces valid Exchange RPC commands. The RPC worms out there can try as much as they like, but they won't be able to touch your Exchange Server through the RPC publishing rule, because the filter whacks 'em. When packet filtering is enabled, the ISA firewall does not allow connections to ports that you don't explicitly allow inbound access to. I get thousands of hits a day from port probers and the like, but they only access what I've allowed inbound access to. Of course, you have to harden the servers that you allow inbound access to, but they need to be hardened anyhow, because the majority of hacks take place from hosts that are already behind the firewall. For RPC publishing, make sure your public DNS supports the connections. Why version of Outlook are your external clients using? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jeff Bushberg [mailto:jeff@xxxxxxxxx] Sent: Sunday, September 14, 2003 9:07 PM To: [ExchangeList] Subject: [exchangelist] RE: Unhappy remote clients http://www.MSExchange.org/ Hello Tom So exchange opens a lot of short lived temporary ports in its communication. So in setting up the ISA server 1. Forward all traffic from sonic to ISA external interface 2. Publish internal exchange server 3. Do I need to configure outbound RPC protocol rules Also have you successfully blocked hackers with one ISA server? Also what reports have you found to be usefull? Thanks Jeff -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Sunday, September 14, 2003 4:21 PM To: [ExchangeList] Subject: [exchangelist] RE: Unhappy remote clients http://www.MSExchange.org/ Hi Jeff, Actually, you bring up a good point. If you have an ISA in front of the ISA, then you would have a nice two layers of protection, and then you could provide limit inbound Exchange RPC from the external ISA to the internal ISA. The problem is that sonicwall doesn't have an intelligent RPC filter, so there's no secure way to forward a limited number of ports because of the ephemeral ports required by RPC. The RPC filter on ISA manages the connecitons, allows on valid commands, and only opens ports on an "as needed" or stateful basis. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jeff Bushberg [mailto:jeff@xxxxxxxxx] Sent: Sunday, September 14, 2003 4:59 PM To: [ExchangeList] Subject: [exchangelist] RE: Unhappy remote clients http://www.MSExchange.org/ If you open all ports and forward all traffic to ISA server Isn't that opening up possible exploits against ISA server. Wouldn't it be better to forward all necessary port traffic To ISA server. Also I have been looking for a better firewall One that analyze at layer 7 and has reports that are easy To track unapproved traffic qnd has alert notification. In fact that is why I am now testing ISA server. Thanks Jeff -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Sunday, September 14, 2003 10:22 AM To: [ExchangeList] Subject: [exchangelist] RE: Unhappy remote clients http://www.MSExchange.org/ Hi Jeff, Sonicwall can't provide secure Exchange RPC access for your remote Outlook clients. For a secure setup, you need to forward all traffic to the ISA firewall and allow ISA to do the firewalling. Sonicwall is just a tradition packet filtering NAT router and can't provide the layer 7 intelligence required to secure the Outlook/Exchange RPC transactions properly. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jeff Bushberg [mailto:jeff@xxxxxxxxx] Sent: Sunday, September 14, 2003 10:40 AM To: [ExchangeList] Subject: [exchangelist] RE: Unhappy remote clients http://www.MSExchange.org/ I have been testing ISA server. Do you have to open any other ports? Also I am behind a sonicwall firewall so I will nat or forward ports to ISA server wan interface. But is there any other points for configuration I should consider. I saw the wizard that connects the ISA server to exchange is there any other ISA server configuration. Thanks Jeff -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Saturday, September 13, 2003 11:32 AM To: [ExchangeList] Subject: [exchangelist] RE: Unhappy remote clients http://www.MSExchange.org/ Hi Jeff, I've enabled ISA Server secure Exchange RPC publishing for several city and county govts, and it works a treat. The only issue it getting the ISPs to open TCP 135, but that's getting to get less of a problem now that the worm hysteria is settling down. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jeff Bushberg [mailto:jeff@xxxxxxxxx] Sent: Saturday, September 13, 2003 10:48 AM To: [ExchangeList] Subject: [exchangelist] Unhappy remote clients http://www.MSExchange.org/ I have users that connect to exchange remotely through VPN. I have tried using OST files but notice when exchange synchronizes the OST file it Takes too long, not fast enough for slow connections. I noticed there are some settings in 2002 outlook client For send and receive groups that may be useful. Was wondering if some has a system for remote access that works great with large email accounts. I know about OWA , but my clients prefer using there normal outlook interface. Is there a way to connect to exchange remotely with out synchronizing and collect only new email. I am using IMAP now but was hoping for a solution for outlook exchange client. Also any suggestions On minimum bandwidth requirements to implement successful remote VPN exchange access. Thanks for any help Jeff ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: jeff@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: jeff@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: jeff@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: jeff@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: jeff@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: jeff@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')