RE: Exchange Server and External Access

["Gregory M. Brown" <gbrown () alvalearning com>]

Hello...
I did this very thing today.  It's all quite simple.  
 
You need to set up a VPN.  Period.  There are many variations and flavors of VPN out there.  The MS solution is free.  
We are using the VPN solution from our firewall provider.  It required license purchasing that was completely 
reasonable.  My Exchange box that lives behind the firewall is configured for DHCP and NAT runs on the firewall.  There 
is a static mapping in DHCP (within scope) in the private 10.x.x.x range for the Exchange box.
 
DSL, Cable Modem, other high speed access solution:
Once the VPN tunnel is alive, simply have the Outlook client configured for yourmailserver in the Exchange properties 
within Outlook.  When a user clicks on their Outlook icon they will get their full experience.  VPN makes it as though 
they are on the LAN at the office.  If the remote users are using company configured machines, you don't need to do 
anything, other than configure VPN.  It may seem a little slower or faster than in the office.  It all depends on your 
access speed.
 
Dial Up:
Have the users dial up their ISP.  They should then connect their VPN tunnel.  Instruct them to use their browser to 
access OWA.  (Yep, ya gotta configure OWA.)
 
Please note that the key here is VPN.  The only ports you need to concern yourself with are VPN ports.  MS VPN needs 
1723, 53 (GRE) and 47 (IKE).  I hope I didn't mix those up!  My firewall needed only 2 ports opened.  Simply get the 
info from your vendor.  Since VPN is extremely secure, the need for an SSL certificate on OWA becomes moot.
 
Turn POP3 off.  That's right.  Right click POP3 and disable it.  End of issue.
 
The DMZ should only be populated with a smart host.  You can set up a MS SMTP server in the DMZ with a dedicated SMTP 
connector to Exchange.  In this capacity all port 25 traffic will go to the SMTP box first.  After all anti-spam and 
anti-virus software has had its way with inbound or outbound traffic, the mail is then delivered.  This is a completely 
respected deployment.  SMTP comes free with any MS 2000 OS (NT 4 as well.).  The Exchange front end/back end idea is 
all cool, but ya gotta deal with MS Exchange licensing.  Just be sure to turn off every non-relevant service on the 
SMTP smart host.  The smart host deployment is great for anti-spam and anti-virus services.  My next task is to deploy 
just such a configuration.  I currently have CA running on my Exchange box.  CA was on top of those viruses last week.  
I had no problems.  My hat is off to them!  
 
That's how I did it.  This mail is proof it works.
gb

        -----Original Message----- 
        From: salgak () speakeasy net [mailto:salgak () speakeasy net] 
        Sent: Fri 8/22/2003 1:39 PM 
        To: Cherian M. Palayoor; security-basics () securityfocus com 
        Cc: 
        Subject: Re: Exchange Server and External Access
        
        

        > -----Original Message-----
        > From: Cherian M. Palayoor [mailto:cpalayoor () cwalkergroup com]
        > Sent: Friday, August 22, 2003 05:25 PM
        > To: security-basics () securityfocus com
        > Subject: Exchange Server and External Access
        >
        > Hi,
        >
        > We presently use the Std edition of Exchange 2000 as a mail server for our
        > internal users, behind the Firewall.
        >
        > However we would like to grant mailbox access to external users outside the
        > Firewall.
        >
        > What would be the most secure and efficient method of accomplishing this.
        
        Several things come to mind.
        
        1. Leave it behind your firewall: use Outlook Web Access (OWA).  You'll have to tighten-down the IIS security 
on the Exchange box, and as I recall, also open up the NNTP port to the Exchange box.  So you ALREADY have 25 open to 
the world through the firewall: you'd be adding 80, possibly 443 (been a while since I set up OWA) and 119.
        
        2. Move it to the DMZ: run it as a POP3 server: allow internal and external clients to access it via POP3.  I'd 
also lock it down hard.  You'll have to allow 137-139 TCP and UDP, as well as 53 UDP from inside to the Exchange box in 
the DMZ, to allow it to communicate with the Domain Controller.  This is not a recommended solution, but could be made 
to work.  BTW, I hope your Exchange box is NOT a domain controller. . .always a bad choice. . .
        
        3. Variant of #1: instead of OWA setup, do a POP3 setup to the outside world.
        To lock it down, use POP3 over SSL (port 995, I think. . .)  The client config is a bit detailed, I've never 
tried this. . .
        
        > One stream of thought that I have been entertaining is having a separate
        > Exchange/Mail  Server on the DMZ.
        
        Bad idea.  You'd need Enterprise Edition of Exchange 2K to synch the servers. . .
        
        
        
        ---------------------------------------------------------------------------
        Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
        October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
        technical IT security event.  Modeled after the famous Black Hat event in
        Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. 
        Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
        ----------------------------------------------------------------------------