Windows Firewall and Exchange 2003

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I support about 75 remote users using XP Pro SP2. They all have Outlook 2003
as there e-mail client. How can I configure Windows Firewall to accept
communications from our Exchange 2003 server?
 
I support about 75 remote users using XP Pro SP2. They all have Outlook 2003
as there e-mail client. How can I configure Windows Firewall to accept
communications from our Exchange 2003 server?
Click to expand...

SP2 Firewall doesn't block outbound, so it's got to be something else.

I hope you're not using Outlook over the Intern using RPC. If you setup a
PPTP connection for the users and let them VPN into the server they can
securely use Outlook from anywhere and get full access to all features.

Many ISP's block the ports used by Outlook when doing remote connections
to Exchange servers using the Exchange connector - instead of POP/SMTP.
 
Depends on how they're connecting.

Since Windows firewall doesn't do outbound filtering, I can't see it
blocking any of the connection types, since they all involve the client
initating the connection (POP3, IMAP, SMTP, RPC/HTTPS).

With a bit more detail, we should be able to help you.

Matt Gibson - GSEC
 
Why not use Outlook over RPC/HTTPS?
Click to expand...

Because as many people found out about a year ago, ISP's block some of the
ports needed to implement it based on massive outbreaks. It was simple for
people that used proper VPN's to continue working, but the RPC people had
to scramble to find alternative solutions.

I've never seen anyone go wrong with doing it over a VPN, but I've seen
many have problems over RPC.
 
We are using a VPN client and outbound is fine, the problem is that the users
are not able to download e-mails unless they turn the firewall off then back
on. Not all users experience this problem but alot them do.
Click to expand...

Interesting, I've seen this mentioned a couple time when the CISCO VPN
client was being used - but I've not seen it when the PPTP VPN client was
used.

So, the problem is actually different than first described - some users
have to disable the firewall and re-enable it when using your VPN client.

What is showing in the servers/appliances firewall logs?
 
We are using a VPN client and outbound is fine, the problem is that the users
are not able to download e-mails unless they turn the firewall off then back
on. Not all users experience this problem but alot them do.
 
I think you're quite mistaken.

Outlook over RPC/HTTPS only uses port 443. I'd like to see an ISP that
blocks that.

Matt Gibson - GSEC
 
I think you're quite mistaken.

Outlook over RPC/HTTPS only uses port 443. I'd like to see an ISP that
blocks that.
Click to expand...

It could be that over HTTPS is a viable option - I've not tried that
method as we've always used VPN's and they've always worked.

I can remember people trying RPC over HTTP and it not working, so I
assumed that it would be the same over HTTPS. I have no problem being
wrong if I am - thanks for letting me know.
 
No worries.

I've got 2 clients using RPC/HTTPS for their outside sales guys, and so far
haven't run up against any issues. I feel it's more secure than most VPN
setups, as if their machine is infected with whathave you, I don't have to
worry about terminating their VPN in a DMZ to prevent my network from
getting infected.

Matt Gibson - GSEC
 
No worries.

I've got 2 clients using RPC/HTTPS for their outside sales guys, and so far
haven't run up against any issues. I feel it's more secure than most VPN
setups, as if their machine is infected with whathave you, I don't have to
worry about terminating their VPN in a DMZ to prevent my network from
getting infected.
Click to expand...

That would be a good option, but don't they need access to files too?

Every office we install wants access to the servers, not just their email.
We setup the laptops with them as user level accounts, force FireFox on
them and use a corporate level AV product that the users can't control. So
far we've not had one compromised system.

I'll take a spare E2003 server this weekend and test RPC/HTTPs and see how
it works for us - thanks for the idea.
 
For these guys, they usually stay pretty seperate from head office in terms
of files.

If I "needed" to do VPN, I'd probably stuff a Fortigate in, so I wouldn't
worry so much about the tunnels back to HO.

You should like RPC/HTTPS...I'm always suprised just how well it works.

Matt Gibson - GSEC
 
Back
Top