Re: Windows XP ICF and Outlook XP

[Jason Richardson <a00jer1 () WPO CSO NIU EDU>]

Jake, we discovered the same kind of problem with ICF and Groupwise Busy
Search - users could not use busy search with ICF enabled because it
didn't use the same port every time and ICF is not an application based
firewall.  I think that XP SP2's ver. of ICF will solve your problem
because it can do more of an application based firewall and you've seen
that already with the machine that you are testing on - it also works
with GW busy search.  I wouldn't worry too much about forcing Exchange
to use static ports by hacking the registry if the process if
documented, but it might be more painless to wait for SP2 which is
already a release candidate so it shouldn't be much longer.

Good luck,

---
Jason Richardson, J.D., CISSP, CISM, CNE
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich () niu edu

> > > jkbarros () GRACE EDU 5/7/2004 5:12:28 PM >>>
We'd like to start deploying Windows XP using the built in Internet
connection firewall campus wide, but in testing noticed that our
Outlook
XP clients are not 'automatically' sending or receiving mail.  When
you
manually send/receive or navigate between any folders within the
exchange mailbox, mail flow is fine.  Right now we have Outlook
clients
set to send / receive every minute, and that works, but users are
complaining.

After reading a post on the Neohapsis archive, we've used TCP view and
found that the Exchange server makes UDP connections with each client
when started.  The problem is that the UDP port(s) it uses are never
the
same.  Windows ICF isn't configurable to the point of including
wildcards, nor can I set it to except all traffic from a specific
host.
At least I don't know a way.

Microsoft sort of acknowledges that it's a problem. Their fix is to
change the Exchange server to only communicate on static ports...
which
makes sense but scares me because it's a registry hack.
http://support.microsoft.com/default.aspx?kbid=270836

Anyone using this configuration? Can I anticipate my Exchange server
to
panic if I hack the registry?  Client problems? Has anyone tried it?

Do you even view this as a problem? Is this a legitimate issue or
should
I just tell my users to deal?  I want to make security as painless as
possible but I also don't mind telling them that this is just the way
that it will be.

Any advice, technical or interpersonal, would be helpful.



In a semi-related note I have a pre-release of XP sp2 loaded and
running
on my desktop and I think it's great.  Includes a built in pop-up
blocker in IE,  the ICF is a BIG step up from sp 1, and it hasn't
locked
or choked at all.  Only issue I've seen is the one mentioned above.
Anyone else have input?



Jake Barros
Grace College




**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.