For client computers to gain access to Microsoft Exchange Server computers
remotely over the Internet, the clients and servers must be able to
communicate using RPC. If you are not using an Internet firewall, RPC
communication is enabled by default.
If you are using a firewall to increase your system's security, you might
have to configure thefirewall to allow RPC communication. Some Internet
firewalls do not accept TCP/IP port numbers that Exchange uses for RPC
communication. To solve this problem, add port 135 to your firewall and
configure Exchange to use the same ports as your firewall.
To configure Exchange, set two unique port numbers, one for the information
store and one for the directory. The registry value TCP/IP Port controls
this setting. This DWORD value is a16-bit number. This value is set for the
port that the firewall will accept.
For the directory, you can modify the port numbers in the following
registry location:
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services
\MSExchangeDS\Parameters \TCP/IP Port
For the information store, modify the port number in the following registry
location:
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services
\MSExchangeIS\ParametersSystem \TCP/IP Port
If you are using a packet filter, you must configure it to allow TCP
connections to theinformation store and directory ports in addition to port
135 (for the RPC End-Point Mapper service) on the Exchange Server computer.
To add TCP/IP port numbers
1.In the Windows NT registry, select the following
key: HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services
\MSExchangeIS\ParametersSystem
2.From the Edit menu, choose New, and then choose DWORD value.
3.In the Name box type TCP/IP Port, and then click Enter.
4.Double-click TCP/IP Port. In the Value data box, type the number of the
port that the firewall will accept. Set the base to a decimal when entering
the value.
Based on the assumption the firewall relays SMTP, you have separate
internal and external DNS
On the External DNS, you would have the following records:
domainx.com IN MX 10 firewall.domainx.com
firewall.domainx.com IN A 1.1.1.1
On the Internal DNS, you would have the following records:
firewall.domainx.com IN A 10.1.1.1
exchange.domainx.com IN A 10.1.1.2
The SMTP server on the firewall should be configured to send all mail for
domainx.com to exchange.domainx.com.
The Exchange server should be configured to accept domainx.com as <inbound>.
At 12:52 PM 7/13/00 -0700, [EMAIL PROTECTED] wrote:
>One obvious thing I forgot to mention. Static NAT does not distingish
>between ports or protocols. To prevent attacks against other
>ports/services on the Exchange box it would be best to filter the traffic
>and only permit SMTP to pass.
>
>-- Bill Stackpole, CISSP
>
>
>[EMAIL PROTECTED]
>Sent by: [EMAIL PROTECTED]
>
>07/13/00 10:28 AM
>
> To: <[EMAIL PROTECTED]>
> cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Subject: Re: static nat
>
>
>To date, there aren't any known vulnerabilities to the Exchange-SMTP
>gateway. That does not however, mitigate the other obvious problems with
>mail based attacked including using Exchange as a spam relay, active
>content attacks (ala ILOVEYOU), HTTP formatted mail attacks, virus
>infected attachments, flooding the server, DoS attacks, etc. Keep the big
>picture.
>
>Bill Stackpole, CISSP
>
>
>"Yaniv Fine" <[EMAIL PROTECTED]>
>Sent by: [EMAIL PROTECTED]
>
>07/13/00 08:48 AM
>Please respond to yanivf
> To: "Firewalls LIST \(E-mail\)" <[EMAIL PROTECTED]>
> cc:
> Subject: static nat
>
>
>Hi all
>
>We are using check point FW-1 and thinking of installing Exchange server
>with Static Nat
>What are the risks we are taking in this scenario .
>Should I thinks on a tighter security strategy but more expensive
>Any pointers are welcome
>
>
>~~~~~~~~~~~~~~~~~~~
>Yaniv Fine
>MIS Manager
>Know-Net Group
>~~~~~~~~~~~~~~~~~~~
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
