Educause Security Discussion mailing list archives
Re: Windows XP ICF and Outlook XP
From: "Wehner, Paul (wehnerpl)" <WEHNERPL () UCMAIL UC EDU>
Date: Mon, 10 May 2004 14:03:09 -0400
Here at the Univ. of Cincinnati we have statically mapped the ports on all our exchanger servers and haven't experienced and issues. -----Original Message----- From: Jason Richardson [mailto:a00jer1 () WPO CSO NIU EDU] Sent: Friday, May 07, 2004 8:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Windows XP ICF and Outlook XP Jake, we discovered the same kind of problem with ICF and Groupwise Busy Search - users could not use busy search with ICF enabled because it didn't use the same port every time and ICF is not an application based firewall. I think that XP SP2's ver. of ICF will solve your problem because it can do more of an application based firewall and you've seen that already with the machine that you are testing on - it also works with GW busy search. I wouldn't worry too much about forcing Exchange to use static ports by hacking the registry if the process if documented, but it might be more painless to wait for SP2 which is already a release candidate so it shouldn't be much longer. Good luck, --- Jason Richardson, J.D., CISSP, CISM, CNE Manager, IT Security and Client Development Enterprise Systems Support Northern Illinois University Voice: 815-753-1678 Fax: 815-753-2555 jasrich () niu edu
jkbarros () GRACE EDU 5/7/2004 5:12:28 PM >>>
We'd like to start deploying Windows XP using the built in Internet connection firewall campus wide, but in testing noticed that our Outlook XP clients are not 'automatically' sending or receiving mail. When you manually send/receive or navigate between any folders within the exchange mailbox, mail flow is fine. Right now we have Outlook clients set to send / receive every minute, and that works, but users are complaining. After reading a post on the Neohapsis archive, we've used TCP view and found that the Exchange server makes UDP connections with each client when started. The problem is that the UDP port(s) it uses are never the same. Windows ICF isn't configurable to the point of including wildcards, nor can I set it to except all traffic from a specific host. At least I don't know a way. Microsoft sort of acknowledges that it's a problem. Their fix is to change the Exchange server to only communicate on static ports... which makes sense but scares me because it's a registry hack. http://support.microsoft.com/default.aspx?kbid=270836 Anyone using this configuration? Can I anticipate my Exchange server to panic if I hack the registry? Client problems? Has anyone tried it? Do you even view this as a problem? Is this a legitimate issue or should I just tell my users to deal? I want to make security as painless as possible but I also don't mind telling them that this is just the way that it will be. Any advice, technical or interpersonal, would be helpful. In a semi-related note I have a pre-release of XP sp2 loaded and running on my desktop and I think it's great. Includes a built in pop-up blocker in IE, the ICF is a BIG step up from sp 1, and it hasn't locked or choked at all. Only issue I've seen is the one mentioned above. Anyone else have input? Jake Barros Grace College ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Windows XP ICF and Outlook XP Barros, Jacob (May 07)
- <Possible follow-ups>
- Re: Windows XP ICF and Outlook XP Jason Richardson (May 07)
- Re: Windows XP ICF and Outlook XP Wehner, Paul (wehnerpl) (May 10)