• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on publishing Exchange 2007

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Discussion about article on publishing Exchange 2007 Page: [1] 2 3 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion about article on publishing Exchange 2007 - 19.Jul.2007 10:00:23 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on publishing Exchange 2007 at http://isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part1.html

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Discussion about article on publishing Exchange 2007 - 19.Jul.2007 10:20:21 AM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
I laugh when I see that "nightmare scenario" diagram.  Too bad in USA it is all too common.  Wake up people, ISA > PIX.

Thanks for a great article Tom.

(in reply to tshinder)
Post #: 2
RE: Discussion about article on publishing Exchange 2007 - 23.Jul.2007 5:54:31 PM   
Cashmo

 

Posts: 14
Joined: 28.Jun.2007
Status: offline
Thanks for the article, looking forward to the rest of it. 

Regarding "In a split DNS, the same domain name is hosted on two different DNS servers containing two different DNS zones. There are usually two zones: an external zone that services external network clients and an internal zone that services internal network clients" and "We will cover only the internal DNS server in this example, as you likely will be using a non-Windows based DNS server for your external zone."  Am I correct in thinking the external DNS server would be the one at a business's Internet Service Provider?

Your comments up front about how a secure production environment would use an Edge server on an anonymous DMZ and putting the Client Access Server on an authenticated DMZ will frighten off the smaller 100 user businesses.  Is there no hope of configuring a secure remote access scenario using a single 2007 Exchange server and ISA 2006? 

Thanks,
Jeff

(in reply to tshinder)
Post #: 3
RE: Discussion about article on publishing Exchange 2007 - 23.Jul.2007 8:59:35 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ferris,

Ha! Yes, it seems that the Americans are definitely not as sophisticated as the Europeans are when it comes to network security. The "nightmare scenario" shows how poorly educated most American "security specialists" are. Most of them only know what the "hardware" sales guys tell them! :)

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ferrix)
Post #: 4
RE: Discussion about article on publishing Exchange 2007 - 23.Jul.2007 9:02:20 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: Cashmo

Thanks for the article, looking forward to the rest of it. 

Regarding "In a split DNS, the same domain name is hosted on two different DNS servers containing two different DNS zones. There are usually two zones: an external zone that services external network clients and an internal zone that services internal network clients" and "We will cover only the internal DNS server in this example, as you likely will be using a non-Windows based DNS server for your external zone."  Am I correct in thinking the external DNS server would be the one at a business's Internet Service Provider?

Your comments up front about how a secure production environment would use an Edge server on an anonymous DMZ and putting the Client Access Server on an authenticated DMZ will frighten off the smaller 100 user businesses.  Is there no hope of configuring a secure remote access scenario using a single 2007 Exchange server and ISA 2006? 

Thanks,
Jeff


Hi Jeff,

While the secure design using authenticated and anonymous access DMZs is preferred method of creating a highly secure configuration, it's all a matter of degree. Having an ISA Firewall in front of the single Exchange 2007 is certianly more secure than a PIX, ASA or Juniper. It's just not the best way to do it, but you do what you can with the amount of money you're willing to spend.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Cashmo)
Post #: 5
RE: Discussion about article on publishing Exchange 2007 - 24.Jul.2007 3:40:48 PM   
tmurfet

 

Posts: 21
Joined: 23.Dec.2002
From: Vancouver BC
Status: offline
quote:

ORIGINAL: tshinder

quote:

ORIGINAL: Cashmo
......a secure production environment would use an Edge server on an anonymous DMZ and putting the Client Access Server on an authenticated DMZ .....

I suppose you could combine the Edge server with the Client Access Server in the Authenticated DMZ ? Thus working with two servers instead of three. Would a IIS based SMTP relay be enough in the anonymous DMZ? Or am I not understanding the role of the Edge server?

Cheers, Anthony Murfet

(in reply to tshinder)
Post #: 6
RE: Discussion about article on publishing Exchange 2007 - 24.Jul.2007 5:47:16 PM   
Cashmo

 

Posts: 14
Joined: 28.Jun.2007
Status: offline
quote:

I suppose you could combine the Edge server with the Client Access Server in the Authenticated DMZ ? Thus working with two servers instead of three. Would a IIS based SMTP relay be enough in the anonymous DMZ? Or am I not understanding the role of the Edge server?


http://www.microsoft.com/exchange/evaluation/features/serverroles.mspx shows the Edge Transport role on it's own in the DMZ (anonymous or authenticated?) and the CAS, Hub transport and Mailboxe roles would be on the second Exchange server behind the ISA box. I'm also not sure what protocols would be used between the Exchange servers.

Thanks,
Jeff

(in reply to tmurfet)
Post #: 7
RE: Discussion about article on publishing Exchange 2007 - 25.Jul.2007 2:48:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jeff,

The Edge Exchange Server should be on an anonymous access DMZ. The reason for this is that no authenticated connections come into the Exchange Edge server.

I'm in the same boat you're in right now. I haven't figured out what the protocols are that are required between the various Exchange Servers for 2007. I'll probably try to figure that out after I get back from Black Hat.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Cashmo)
Post #: 8
RE: Discussion about article on publishing Exchange 2007 - 26.Jul.2007 5:11:12 PM   
Cashmo

 

Posts: 14
Joined: 28.Jun.2007
Status: offline
Applicable info from http://blogs.technet.com/haroldwong/archive/2007/01/26/exchange-server-2007-webcast-series-part-2-of-24-q-a-log.aspx
 
Question: Is it suggested to put the edge server in a true DMZ or is Microsoft recommending it be published via ISA?
Answer: Edge Transport server is only supported in a perimeter network. You can use ISA as the firewall server, but do not use ISA's built-in SMTP screening/filtering capabilities.
 
Question: Does the Edge Transport support TLS, or what type of secure email does it handle?
Answer: Secure SMTP (SMTPS) from Edge to Hub Transport. And from Hub to Edge it's using SMTP plus 50389 (LDAP) or 50363 (Secure LDAP) for Edge Sync traffic.
 
Question: What is the advantage of having an edge server over using just a hub server?
Answer: This server role is for perimeter network deployment. It supports Simple Mail Transfer Protocol (SMTP) routing, provides anti-spam filtering technologies and support for antivirus extensibility. The Edge Transport server should be isolated from the Active Directory directory services, but can still leverage Active Directory for recipient filtering by using Active Directory Application Mode (ADAM). EdgeSync in Exchange Server 2007 publishes pertinent organization information, encrypted, to the Edge Transport server for use in robust recipient filtering and respects Microsoft Outlook safe sender lists on the Edge. Communications between the Edge Transport server and the internal network in an Exchange Server 2007 organization are encrypted by default. Edge Transport includes anti-spam technologies that protect at many layers.
 
http://technet2.microsoft.com/Office/en-us/library/678d6c9e-12cb-44fb-8936-7a3a67f53d3e1033.mspx?mfr=true and http://technet2.microsoft.com/windowsserver/en/library/b6bc99b2-578f-4f0d-933b-e1015d79681a1033.mspx?mfr=true have more ADAM / LDAP port info although 2 links below it seems Edge Sync uses different ports.
 
http://msexchangeteam.com/archive/2006/11/17/431555.aspx has good info on the differences between receiving your SMTP traffic at the Edge vs Hub Transport.
 
http://technet.microsoft.com/en-us/library/aa996562.aspx = Technet: Planning for Edge Transport Servers, includes port numbers for Edge Sync.
 
Since my companies present Barracuda 200 spam filter does much of what the Edge Transport box would do I think I'm going to forgo the later.  Now I'm trying to decide whether it's worth a 2nd Exchange server to hold the Client Access role or not.  Am I correct in thinking the Barracuda spam filter should go in a ISA DMZ? 



Thanks,
Jeff

< Message edited by Cashmo -- 26.Jul.2007 5:12:20 PM >

(in reply to tshinder)
Post #: 9
RE: Discussion about article on publishing Exchange 2007 - 26.Jul.2007 7:43:51 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jeff,

Yes, the Barracuda should be placed in an anonymous access DMZ. If you decide on deploying a client access server, that should be placed on an authenticated access DMZ. You can do this easily with a single ISA Firewall with four NICs.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Cashmo)
Post #: 10
RE: Discussion about article on publishing Exchange 2007 - 15.Aug.2007 5:58:41 AM   
rjms

 

Posts: 3
Joined: 15.May2003
Status: offline
It's nice to see that I have, somehow, contributed to this article, since the Exchange Publishing Nightmare Scenario picture was taken from an article I wrote for MSExchange.org.
I just want to clarify some points around this scenario:

- I fully agree with Mr. Thomas Shinder that this is not the best topology for ISA Server;
- Nevertheless (and I'm in Europe), most of my customers specifically ask for this topology, although I keep trying to convince them otherwise;
- ISA is a great firewall, but is also a great reverse proxy. All of my customers where the Nightmare Scenario was the one that was implemented, already had the security components (firewalls) in place. ISA Server was a new addition with the specific purpose of publishing Exchange. Hey, it's a great way of introducing them Microsoft products, so maybe they'll start using it as their edge firewall;
- Having said that, I totally disagree that the Nightmare Scenario will increase Cisco or Checkpoint profit.

One thing that being a consultant taught me it's to understand customer needs and not trying to push them my technical solution. My job it's to advise them and to point them the right direction, but if they want to stick with their DMZ with their Checkpoint firewalls, who am I to deny them that?

Fundamentalism is what makes the Linux, Unix, Checkpoint, Cisco (...) guys losing market share. I like to think ourselves, Microsoft guys, as more open-minded and willing to build a solution that really serves customer needs.

Cheers,
Rui Silva

(in reply to tshinder)
Post #: 11
RE: Discussion about article on publishing Exchange 2007 - 16.Aug.2007 10:16:02 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rui,

Indeed, the Nightmare Scenario graphic was lifted from your article and enhanced for educational purposes.

Allowing your customers to dictate security requirements is not wise. You're the expert and its our responsibility to educate them and provide expert opinion and guidance.

Children think they can play with fireworks and guns -- but as adults we don't let them do that because we know better. In the same way, customers might think that the Nightmare Scenario is a smart way to do things, but they actually end up lowering their overall security posture by implementing the ISA Firewall in that way.

Because of this, as a consultant myself, I refuse to work with customers who do not do the right thing. Why should I become a co-conspirator in their attempt to reduce security?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to rjms)
Post #: 12
RE: Discussion about article on publishing Exchange 2007 - 16.Aug.2007 10:50:52 AM   
rjms

 

Posts: 3
Joined: 15.May2003
Status: offline
Sometimes I also wish I could refuse to work with some customers, but unfortunately I can't.
I understand and respect your point of view, but as I said, if a customer already has a DMZ using 3rd party firewalls and just wants to publish Exchange, I see no problem in using ISA Server that way.
ISA is great for publishing Exchange and is an opportunity to introduce these customers to a fine security product from Microsoft.

(in reply to tshinder)
Post #: 13
RE: Discussion about article on publishing Exchange 2007 - 17.Aug.2007 10:12:24 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rui,

I understand your point of view and some businesses don't have the luxury of telling customers "no". I'm fortunate in that way. But one thing I do try to do on www.isaserver.org is point out best practices and make very very clear that the ISA Firewall as designed from the ground up to be a network firewall with Web proxy and VPN capabilities as well. But that the ISA Firewall is primarily a firewall and arguably more secure than anything that Check Point or Cisco has -- and that's the important educational messages that customers must understand.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to rjms)
Post #: 14
RE: Discussion about article on publishing Exchange 2007 - 21.Aug.2007 1:02:38 PM   
mmcgille

 

Posts: 1
Joined: 21.Aug.2007
Status: offline
Hi Tom,
Very good article on Exchange 2007 and ISA publishing - I got a lot out of it. One thing I thought was worth mentioning is that there _is_ an SMTP service in Exchange 2007.

Unfortunately, it is called "Microsoft Exchange Transport" (MSExchangeTransport.exe)
If you go to your server's command line and do a netstat -ab you will see that MSExchangeTransport.exe is the executable listening on port 25.

(Also note that this is a different service than the EdgeTransport.exe you talk about fiddling with that config in the section about backpressure).

Anyway, the Exchange Transport service is the one responsible for SMTP in Exchange2k7. 

Regards,
Matt

(in reply to tshinder)
Post #: 15
RE: Discussion about article on publishing Exchange 2007 - 22.Aug.2007 12:40:45 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Matt,

Thanks for the info! I appreciate any information I can get about how the new Exchange Server works.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mmcgille)
Post #: 16
RE: Discussion about article on publishing Exchange 2007 - 22.Aug.2007 4:11:46 PM   
BryantFong

 

Posts: 23
Joined: 2.Feb.2002
Status: offline
Greetings:

I notice that when creating the OWA (NTLM) - "integrated authentication" rule it appears to be the same as the OWA (Basic) except for the /OWA/* in the path section.  How does this rule <OWA (NTLM)> rule use NTLM?   I look at the walkthrough and there is no option for that rule that I see that uses NTLM.  Thanks.

We configured our Exchange 2007 with a single rule and it works without any issues.  Thanks.

(in reply to tshinder)
Post #: 17
RE: Discussion about article on publishing Exchange 2007 - 25.Aug.2007 12:30:18 PM   
designxperts

 

Posts: 25
Joined: 9.Jul.2007
Status: offline
I noticed the same thing about the OWA (NTLM) rule, shouldn't we change the authentication method to NTLM authentication from the Authentication delegation tab

(in reply to BryantFong)
Post #: 18
RE: Discussion about article on publishing Exchange 2007 - 27.Aug.2007 9:47:39 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yes! I forgot that part. I'll make sure we get that updated today.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to designxperts)
Post #: 19
RE: Discussion about article on publishing Exchange 2007 - 29.Aug.2007 4:51:14 AM   
Je@nb

 

Posts: 8
Joined: 8.Mar.2006
Status: offline
In the last article you say :

quote:


Note that you cannot select any other option than Basic authentication because the Web Listener is configured to fail back to Basic authentication only. This means that users will always need to log on when connecting using RPC/HTTP. This is the price you have to pay for ISA Firewall security and pre-authentication. If you try to bypass this configuration, you will enable the entire Internet to establish anonymous connections to your RPC/HTTP proxy site on the Client Access Server. That is not something I consider a wise security decision and do not come crying to me when you get nailed with a zero-day exploit against the RPC/HTTP proxy just because your users whined about having to log on to Outlook. 


Can't we create an other WebListener with integrated authentification and then we do a standard NTLM delegation to authenticate to the CAS ?
So we can do NTLM authentication securely with Outlook, can't we ?

(in reply to tshinder)
Post #: 20

Page:   [1] 2 3 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Discussion about article on publishing Exchange 2007 Page: [1] 2 3 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts