RE: Unhappy remote clients
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Sun, 14 Sep 2003 22:40:11 -0500
Hi Jeff,
No Protocol Rules required. The ISA firewall will dynamically open
outbound filters to allow the Exchange Server to respond to the incoming
requests.
Another thing to keep in mind is that no only does the RPC publishing
rule allow for temporary and exclusive opening of the required ports, it
also enforces valid Exchange RPC commands. The RPC worms out there can
try as much as they like, but they won't be able to touch your Exchange
Server through the RPC publishing rule, because the filter whacks 'em.
When packet filtering is enabled, the ISA firewall does not allow
connections to ports that you don't explicitly allow inbound access to.
I get thousands of hits a day from port probers and the like, but they
only access what I've allowed inbound access to. Of course, you have to
harden the servers that you allow inbound access to, but they need to be
hardened anyhow, because the majority of hacks take place from hosts
that are already behind the firewall.
For RPC publishing, make sure your public DNS supports the connections.
Why version of Outlook are your external clients using?
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jeff Bushberg [mailto:jeff@xxxxxxxxx]
Sent: Sunday, September 14, 2003 9:07 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Hello Tom
So exchange opens a lot of short lived temporary ports in its
communication.
So in setting up the ISA server
1. Forward all traffic from sonic to ISA external interface
2. Publish internal exchange server
3. Do I need to configure outbound RPC protocol rules
Also have you successfully blocked hackers with one ISA server?
Also what reports have you found to be usefull?
Thanks Jeff
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Sunday, September 14, 2003 4:21 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Hi Jeff,
Actually, you bring up a good point. If you have an ISA in front of the
ISA, then you would have a nice two layers of protection, and then you
could provide limit inbound Exchange RPC from the external ISA to the
internal ISA. The problem is that sonicwall doesn't have an intelligent
RPC filter, so there's no secure way to forward a limited number of
ports because of the ephemeral ports required by RPC. The RPC filter on
ISA manages the connecitons, allows on valid commands, and only opens
ports on an "as needed" or stateful basis.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jeff Bushberg [mailto:jeff@xxxxxxxxx]
Sent: Sunday, September 14, 2003 4:59 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
If you open all ports and forward all traffic to ISA server Isn't that
opening up possible exploits against ISA server. Wouldn't it be better
to forward all necessary port traffic
To ISA server. Also I have been looking for a better firewall One that
analyze at layer 7 and has reports that are easy To track unapproved
traffic qnd has alert notification.
In fact that is why I am now testing ISA server.
Thanks Jeff
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Sunday, September 14, 2003 10:22 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Hi Jeff,
Sonicwall can't provide secure Exchange RPC access for your remote
Outlook clients. For a secure setup, you need to forward all traffic to
the ISA firewall and allow ISA to do the firewalling. Sonicwall is just
a tradition packet filtering NAT router and can't provide the layer 7
intelligence required to secure the Outlook/Exchange RPC transactions
properly.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jeff Bushberg [mailto:jeff@xxxxxxxxx]
Sent: Sunday, September 14, 2003 10:40 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
I have been testing ISA server. Do you have to open any other ports?
Also I am behind a sonicwall firewall so I will nat or forward ports to
ISA server wan interface. But is there any other points for
configuration I should consider. I saw the wizard that connects the ISA
server to exchange is there any other ISA server configuration.
Thanks Jeff
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Saturday, September 13, 2003 11:32 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Unhappy remote clients
http://www.MSExchange.org/
Hi Jeff,
I've enabled ISA Server secure Exchange RPC publishing for several city
and county govts, and it works a treat. The only issue it getting the
ISPs to open TCP 135, but that's getting to get less of a problem now
that the worm hysteria is settling down.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jeff Bushberg [mailto:jeff@xxxxxxxxx]
Sent: Saturday, September 13, 2003 10:48 AM
To: [ExchangeList]
Subject: [exchangelist] Unhappy remote clients
http://www.MSExchange.org/
I have users that connect to exchange remotely through VPN. I
have tried using OST files but notice when exchange synchronizes the OST
file it Takes too long, not fast enough for slow connections. I noticed
there are some settings in 2002 outlook client For send and receive
groups that may be useful. Was wondering if some has a system for remote
access that works great with large email accounts. I know about OWA ,
but my clients prefer using there normal outlook interface. Is there a
way to connect to exchange remotely with out synchronizing and collect
only new email. I am using IMAP now but was hoping for a solution for
outlook exchange client. Also any suggestions On minimum bandwidth
requirements to implement successful remote VPN exchange access.
Thanks for any help
Jeff
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
jeff@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
jeff@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
jeff@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
