Only Greg uses POP3 and IMAP4 ;)
http://www.ISAserver.org
Whoa. Interesting stuff.
So, the dreaded CIFS and RPC are only required for Exchange Management console? That would indeed be sweet.
And FE POP3 and IMAP4 works too? ;)
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Monday, December 05, 2005 9:37 PM To: [ISAserver.org Discussion List] Subject: [isalist] Updates from the Least Privilege Front
http://www.ISAserver.org
Just in case I forget (since we have been discussing FE Exchange Servers in a DMZ Segment) here is the skinny on the least privilege rules required to support the functionality outlined in Shinder's List.
A Front End Exchange Server must verify a remote user's logon request, authenticate the local OWA access request in AD (based on NTFS perms), look up the Exchange Server hosting the user's mailbox in AD (global catalog), forward the user's credentials to the Back End Exchange Server required to log on to the BE on behalf of the user, and to finally proxy the web-based data to the end user. You also must be able to log into the FE server to administer the box, obviously.
The protocol list required for all of this functionality is as follows: From the OWA FE server in the DMZ Segment to the Domain Controllers-- DNS Kerberos-Sec (UDP) LDAP LDAP (UDP) LDAP (Global Catalog) Ping (Not required, but helpful) Microsoft CIFS (TCP) RPC (All Interfaces)
From the OWA FE server to all BE servers, you must allow: HTTP
Note that all manner of NBT traffic requests were attempted, but these are apparently not required when the other protocols are allowed.
Now, one may be tempted to have a single rule for DC authentication containing these rules, and a single HTTP rule from the FE to all BE servers on the Internal Network, but that is not how I recommend doing it in a "least privilege" environment.
I have a problem with allowing CIFS and RPC from a DMZ asset to my internal Domain Controllers. I also like peanut butter rolled up in a slice of Bologna-- I call it a "trailer park crepe." But I digress.
In my tests, CIFS and RPC were only necessary for console logon to the FE asset. If you were logged out of the FE server yet remotely accessed the FE facilities via OWA, CIFS and RPC were *not* required. If the FE thinks it has CIFS and RPC, it will use it for FE functions (in my tests). But if you do not allow it, LDAP, Kerberos-Sec to the DC's and HTTP to the BE's will ultimately be used. The first time a user does this, it takes a bit for the auth to complete, but after that, it's superfly.
Given that, I have decided to separate auth into 2 rule sets: One from the FE server to the DC's with all the above minus CIFS and RPC, and one from the FE server to the DC's with CIFS and RPC. The trick is to disable the second auth rule until you need to log on the to console of the FE server. This way, you allow full OWA functionality without having to have evil CIFS and RPC open from that DMZ segment into your Internal network.
More later.
t
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx