re: How do folks firewall MS Exchange?

["David Goldsmith" <dave.goldsmith () rappatech com>]

For "secure" access THRU the firewall, the suggestions made by Joe are probably it (OWA or IMAP/POP thru SSL w/OE).

If you want to use the full Outlook client, there is NO SECURE way to go thru the firewall ... you would have to open 
up ports 135, 137, 138, 139 and whatever ports the Exchange services are using. You can fix Exchange to use specific 
ports (see KB articles Q155831 and Q148732)
See KB article Q176466 for Exchange ports in general

What we have done at a customer site who wants full Outlook access to Exchange from outside the firewall is setup a VPN 
that is in parallel. Trusted users can VPN in to the building and now appear to be inside ... they can run Outlook no 
problem.

Dave Goldsmith

---------- Original Message ----------------------------------
From: "Carson, Joe" <JCarson () smartronix com>
Reply-To: "Carson, Joe" <JCarson () smartronix com>
Date: Tue, 12 Oct 1999 14:18:39 -0400

> Dan,

  If you simply need client access, try Outlook Web Access using SSL.  I
have not heard of any issues with it "yet".  It sounds like you already
tunnel certain protocols into your network.  You could do the SSL directly,
or you could possibly tunnel the SSL connection through the SSH port
redirector.  There are a lot of unknowns there such as: What operating
systems and SSH clients are you using, Can you get the SSH authentication
front end to work with OWA, Have you looked at other VPN alternatives....

  If your users need the Outlook Express client, MS Exchange can encapsulate
IMAP and POP3 within SSL.  I strongly recommend that you research these
services before implementing them within your security architecture.  I only
know of there availability, but have not tested them myself.

  Anyone else want to weigh in here?

  Be very careful! 

Joe

Joe Carson
CCNA, CCDA
Senior Network Security Engineer
Smartronix, Inc.
======================================================================
Original Message:
How do folks work access to an MS Exchange server through a firewall?

We are under pressure to install MS Exchange in our mixed unix/NT
environment and allow access from outside our local network.

I checked the archives and didn't find anything that helped me.

Currently we limit outside access from the Internet to ssh to a unix host.
Port forwarding makes it possible to do all of the things that have been
required in the past. But now the folks on the sales side of the company
want to have MS Exchange installed so they can use its calendaring and
other functions.

We have attempted to use the port forwarding to make exchange work and we
have also tried Lotus Notes. No luck. Maybe we have missed something. This
would be our preferred approach.

So we are now looking for a firewall solution to this problem. Have any of
you our there encountered this problem. How did you solve it?

Thanks.

/dan

-- 

Dan Schlitt
schlitt () world std com